Vector pursues legal action against Stuff for withholding data

Vector is pursuing legal action against Stuff for withholding data.
Vector is pursuing legal action against Stuff for withholding data. Photo credit: Vector

Vector has demanded Stuff either return or destroy confidential customer data it was given access to by an anonymous source - but the news outlet says it already has.

The Auckland electric utility company suffered a data breach of customer information last month from the Vector outage app by an unknown source. The app is designed to provide customers with information about power outages.

Customer names, email addresses, GPS co-ordinates and other personal data are downloaded by the app to every unresolved outage reported via the app. But by using a proxy server, information can be accessed by anyone else who has downloaded the app - without the need to dodge security measures.

News organisation Stuff published an article on April 26 quoting an "anonymous tipster", who said they were able to access 33,000 listings of Vector customers' details. 

Stuff editorial director Mark Stevens told Newshub on Thursday that the data was held only until it determined that news gathering activities on the story had finished.

"When I was comfortable with that, I ensured the file containing customer contact details - which we received through a secure server - was destroyed," Mr Stevens said.

"We did not agree to demands from Vector to return material to them because that could obviously risk identifying our source," he added.

"We not only had the protection of the customer data to consider, but also the protection of our source. Source protection is a basic principle of what we do, and part of the stringent ethical framework we work under."

Vector said in a press release on Thursday that while it supports Stuff's right to report on the original data breach, the publication has "repeatedly refused its request for the data."

"We have made it clear to Stuff that we were not seeking to prevent their reporting on the matter and we have not asked them at any time to disclose their information source," the press release says. 

"However, we do not believe Stuff should have compounded this matter by exploiting the customer data when reporting on it."

Mr Stevens said Stuff has "not 'exploited' the information - and we do not sell or otherwise share confidential information we obtain during reporting."

"It's important to note that while Vector was aware of the data breach, they did not take the app offline until after they were contacted by Stuff," Mr Stevens added.

The anonymous source criticised Vector for publicly broadcasting the personal details and location of its customers when they are at their most vulnerable during storms and other events that cause power outages. The source told Stuff the Vector app "alerts villains" that nearby citizens are without power and security.

Vector apologised for the breach and said it is taking the "steps we can to reduce any additional impact to the privacy of our customers."

"Now that the story has been published we believe our customers' data should be destroyed or returned to Vector," the press release says.

"Given Stuff's repeated refusals to Vector's requests, Vector now considers it has no choice but to take legal action to ensure its customers' private information is secured and protected. In our view not doing so would be tantamount to failing our customers again."

Vector said it has applied to the High Court for an injunction to protect the information from further use.

"We recognise that taking this step is likely to attract further media attention to Vector for the original customer data breach," the company said.

"However, we considered it is more important to take whatever steps we can to secure our customers' data and protect their privacy."