28 June 2018
InternetNZ believes the Z Energy data breach provides a useful lesson for them, and other organisations.
Ben Creet, Policy Manager at InternetNZ and author of New Zealand’s guidelines for security vulnerability disclosure says, “Once the media get involved in a security breach like Z Energy have had, there has been a failure of processes to disclose and fix a vulnerability.”
Firstly, this is a data breach. That’s why it’s important that the Privacy Bill and it’s mandatory data breach reporting regime is enacted. New Zealand needs to collectively lift its game when data breaches happen. The default position should be to tell your customers when a breach occurs.
If people are finding vulnerabilities and data breaches in New Zealand organisation's websites and services, you should report to CERTNZ. They are the experts and have the mana to get an organisation's attention. You can report a vulnerability to CERT here: https://www.cert.govt.nz/it-specialists/guides/reporting-a-vulnerability/
Additionally, we think that more New Zealand organisations should have their own vulnerability disclosure policies. The New Zealand Internet Task Force released guidelines about how to report, and receive information about security problems in 2013: http://www.nzitf.net.nz/pdf/NZITF_Disclosure_Guidelines_2014.pdf
We run a disclosure policy for the .nz registry (here) and organisations like SkyTV, Vend and even the Office of the Privacy Commissioner have their own policies to encourage reporting directly to their security experts.
InternetNZ will be reaching out to Z Energy on how they can implement a disclosure framework so that vulnerabilities are identified and fixed in a safe, collaborative timely manner.