MediaWorks is investigating the alleged hacking of data belonging to more than 2.4 million people – including phone numbers, email addresses and even the way they voted on shows such as The Block over a number of years.
The alleged stolen data is being offered for sale on the dark web.
A MediaWorks spokeswoman said today: “On Friday, MediaWorks became aware of claims that it had been impacted by a cyber security incident. MediaWorks takes data security seriously and our technology team is investigating this potential incident with the support of external experts.”
The alleged hacker claims to have data from 2.461 million NZ citizens. They claim to have, among other information, names, home addresses, mobile numbers, email addresses, dates of birth, home phone numbers, user postal codes, user genders, and user IDs.
They also claim to have private information, including some questionnaire answers, and people’s videos and music materials.
Among examples of the alleged data hacked is how people voted on The Block between 2017 and 2020. MediaWorks owned and operated the Three television brand before Discovery took ownership later in 2020.
MediaWorks owns and operates a suite of entertainment radio stations including More FM, The Rock, The Breeze, George FM, Mai, Magic and The Sound. It also runs an outdoor advertising arm.
The hacker is trying to sell the data.
A partial screengrab of the alleged hacker's attempts to sell private information.
A separate screengrab of information reveals a page of people’s names, postal addresses, email addresses and phone numbers – and how they responded to a recent question on a MediaWorks radio station about which Dragon concert they’d like to attend in 2024.
A spokesman for the Privacy Commissioner said on Saturday: “MediaWorks has not yet notified our office of a recent privacy breach; we expect they would do this if it were a verified breach.
“As with any breach, MediaWorks would need to investigate to fully ascertain the size and scope of the breach and any impact on its New Zealand clients.
“Our focus in this situation is to provide agencies who have experienced a breach with advice on how [to] minimise the harm caused by the breach on any individuals impacted.”
The Block contestants from an earlier season with hosts Mark Richardson and Shannon Ryan.
Police have been contacted for comment.
Netsafe chief executive Brent Carey said today anyone who thought they might be caught up in the alleged hack should change the passwords to any email accounts that might have been associated with MediaWorks competitions.
He urged people to go to the Have I Been Pwned website to check on the status of their email address.
“That will list all the data breaches that could be associated with the email address.”
People could also make a request to the MediaWorks privacy officer, asking for all the private information the company has on record about them.
People could also contact Netsafe (0508 638 723 or [email protected]) if they needed further advice.
No place for ‘she’ll be right’
In May last year, TVNZ reported the Privacy Commissioner’s office was investigating the Latitude Financial firm and its role in “New Zealand’s largest data breach”.
According to 1News, the breach had exposed 1,037,000 New Zealand driver licence numbers and details from 34,000 passports. About 90,000 customers had also had their personal finance details exposed.
At the time, the Privacy Commissioner’s office said it had launched a joint investigation with its Australian counterparts.
New Zealand’s Deputy Privacy Commissioner Liz MacPherson said at the time that data retention was emerging as a key issue in several domestic and global cyber attacks including the Latitude Financial breach.
“Data retention is the sleeping giant of data security. There are consequences for holding onto data you no longer need. All businesses and organisations can learn from this: don’t collect or hold onto information you don’t need. The risk is simply too high for your customers and your organisation. Don’t risk being a hostage to people who make it their day job to illegally extract data.”
She said at the time there was no place for a “she’ll be right” attitude to privacy and cyber security.
“Cyber attackers are active. People are employed to be cyber attackers.
“People make their fortunes from hacking the security of agencies. Having sea borders does not protect your very internet-connected agency from being hacked.
“A key finding from the NZ Institute of Directors’ Director Sentiment Survey report ... was that a significant proportion of boards were not sufficiently prepared for a digital future and had an ‘it won’t happen to us’ approach. The message from the Office of the Privacy Commissioner is ‘wake up to yourselves’. We talk to organisations almost every week who are counting the cost of a cyber data breach. Can you risk the impact to your customers and your reputation?”
At the time, the Privacy Commissioner’s office said its investigation into Latitude Financial would look at whether the company had breached the Privacy Act 2020.
“While there are consequences for breaching the privacy principles the NZ Privacy Act does not include a civil financial penalty regime,” a spokesperson told TVNZ.
“The primary consequences come through either an individual bringing a complaint to us and seeking compensation for the harm done to them (mediated by OPC or through the Human Rights Review Tribunal), or we can issue agencies with a compliance notice following a compliance investigation to make them do something or stop doing something, which can create costs for an agency, or there is the reputational damage to the agency which can be very significant such as loss of customer base.”
THIS IS A BREAKING STORY – MORE TO COME
- Editor-at-Large Shayne Currie is one of New Zealand’s most experienced senior journalists and media leaders. He has held executive and senior editorial roles at NZME including Managing Editor, NZ Herald Editor and Herald on Sunday Editor and has a small shareholding in NZME.
Take your Radio, Podcasts and Music with you
