Vector seeks injunction against Stuff over leaked customer data

Thursday 3rd May 2018

Auckland electricity and gas distributor Vector has asked the Auckland High Court for an injunction against media organisation Stuff over Vector customer data given to Stuff by a hacker, to stop Vector "failing its customers again".

On April 26, Stuff published an article saying that a "glitch in electricity network provider Vector's 'Outage' app has inadvertently revealed the names, email addresses, physical location and phone numbers of its customers."

The app gives customers information about power outages, and according to the Stuff article "downloads the name, email, GPS co-ordinates and other personal data related to every unresolved outage reported via the app". However, that information can be accessed by any other app user via a proxy server, and an "anonymous tipster" who contacted Stuff could access 33,000 customers' details.

In a press release, Vector said Stuff has repeatedly refuse to secure, return or destroy the customer information, and it is "aware of at least one Vector customer impacted who received an unsolicited approach from a Stuff reporter in the course of preparing the news story for publication." Vector said it did not try to stop Stuff reporting on the issue, but Stuff "compounded this matter by exploiting the customer data when reporting on it."

"The breach having regrettably occurred in the first place, we are trying to take all the steps we can to reduce any additional impact to the privacy of our customers," Vector said. "Now that the story has been published we believe our customers’ data should be destroyed or returned to Vector. Given Stuff’s repeated refusals to Vector’s requests, Vector now considers it has no choice but to take legal action to ensure its customers’ private information is secured and protected. In our view, not doing so would be tantamount to failing our customers again."

"As a result, Vector has applied to the High Court for an injunction to protect the information from further use."

Vector said it realised taking legal action would attract more media attention for the original breach, but "we considered it is more important to take whatever steps we can to secure our customers’ data and protect their privacy."

Mark Stevens, Stuff's editorial director, said the story "was very much in the public interest to report, and it was done so responsibly and with ethics and security in mind."

Stevens said the data was held only until Stuff was sure that news-gathering had finished, and he then ensured the file containing customer contact details was destroyed.

"We did not agree to demands from Vector to return material to them because that could obviously risk identifying our source," Stevens said. "We not only had the protection of the customer data to consider, but also the protection of our source. Source protection is a basic principle of what we do, and part of the stringent ethical framework we work under."

"When we obtain sensitive information we act responsibly to protect both our sources and any vulnerable people affected (such as customers here)," he said. "We have, at all times, treated this information responsibly. Its circulation was limited to staff who needed to see if for news-gathering purposes.

"We have not 'exploited' the information - and we do not sell or otherwise share confidential information we obtain during reporting. It's important to note that while Vector was aware of the data breach, they did not take the app offline until after they were contacted by Stuff."

In response, Vector's head of corporate communications Richard Llewellyn said when the company last talked to Stuff, they were told that “they don’t intend destroying or returning our customers data", and Stevens's comments were "disappointing".

"We are confident that Stuff could have destroyed or returned the data, as requested several times, without risking their source. And to be clear, at no stage did we ask them to disclose their information source," Llewellyn said. "While we were made aware of a data vulnerability a few days before being contacted by Stuff, which is already being addressed, we were not aware of a data breach until being contacted by Stuff."

(BusinessDesk)

Comments from our readers

No comments yet