Vector was hit by a data breach last month, which exposed names, phone numbers, emails, and data that could lead to the locations of customers who reported an outage.
The breach happened on April 26, 2018. According to Vector, the attacker leaked details to media organisation Stuff. Stuff has refused to destroy, return or secure the data that was stolen.
On April 27 the company posted a FAQ section that detailed an API vulnerability in its Outage app.
The vulnerability was exploited by an unknown third party, who then hacked the app. The attacker may have gained access to personal information about app users and anyone who had used the app to report an outage.
While personal information may have been compromised, no financial information such as bank account or credit card details were stolen.
Vector says the breach was confined to information provided by customers to the app. The company’s electricity network, financial systems and website were not compromised.
“This data breach comes as we are working to significantly improve our customers’ information experience during an outage, which was a clear problem following a recent storm,” Vector says in a statement.
According to the company’s FAQ, ‘a number of app customers may have been affected by this data breach’. All customers should now be notified either by email or by letter. The email will be sent from firstname.lastname@example.org.
“We have taken the immediate step of disabling the Vector Outage app and withdrawn all customer records which were breached,” the company says.
Customers who want to report or find out about outages must call Vector directly or visit Vector’s website for more information.
“We are working hard to redesign and relaunch our outage app based on customer feedback and performance during the recent storm to create an industry leading customer experience,” Vector says.
“We will also be ensuring that our customer data is stored, maintained and managed securely in line with best practice and world standards.”
Vector suggests that customers:
- Consider your security for online accounts where you’ve used your email address for account identification.
- Be aware that following this breach, your email address may potentially be the subject of heightened spam activity, and in all cases we recommend you take care when opening emails and/or clicking on links.
- Note that Vector will never request passwords or financial information from you over email.
- For more information on how to ensure your information remains safe and how to recognise potential online scams, visit www.netsafe.org.nz
“We ask our customers to be extra vigilant if they receive any unsolicited communication from anyone purporting to be from Vector.”