Hackers behind MediaWorks data breach are believed to have published the stolen data online, after previously demanding ransoms of US$500 in cryptocurrency from some victims of the data breach.

MediaWorks, which owns and operates radio stations including More FM, Mai, George FM and the Breeze, has confirmed the breach and says it’s aware some individuals may have had direct approaches from the threat actor.

“People aren’t always motivated to comply with legislation that protects data.”

The data was initially offered for sale on the dark web – and to some of the victims themselves for a Bitcoin fee ‘to help cover costs associated with recovering and deleting’ the data.

MediaWorks says the breach occurred on a database containing information from individuals who have entered online competitions.

While the alleged hacker claims to have ‘stolen 2,416,180 New Zealand citizens’ data’ in the breach, on Friday 22 March MediaWorks confirmed earlier suggestions that the number of victims would be lower, with many people likely to have entered multiple competitions. It says it has notified 403,000 individuals that their information has been involved in the breach.

The company says it became aware of the breach claims on Friday March 15 and identified the affected database the following day.

“As soon as we identified the database concerned it was taken offline and all current competition entries have been moved to a new secure database,” MediaWorks says.

Among the information in the database were names, dates of birth, genders, addresses, post codes and mobile numbers. In some cases, Mediaworks says, images and videos were also uploaded as part of the entry.

Among those images and videos are reportedly images of children, along with data on children’s names and ages, whether they play rugby and for what team. More than 3,000 lines of personal information was released as ‘proof of life’ data.

MediaWorks says the database did not include passwords, financial information, bank accounts or credit card details.

The breach only came to light after the alleged hacker posted on BreachForums that they had stolen 2.4 million New Zealanders’ data and offered it up for sale to interested parties. The post claims private information including questionnaire answers, videos and music materials, and voting and details from The Block NZ are included in the data.

That inclusion of details from The Block NZ has raised eyebrows for many. MediaWorks sold its TV business to Warner Bros. Discovery back in December 2020. The data from The Block also goes as far back as 2016 (other data appears to be as recent at this month), raising questions again about how long companies are holding on to data.

Principle 9 of New Zealand’s Privacy Act says organisations ‘should not keep personal information for longer than it is required for the purposes for which the information may lawfully be used’.

RNZ reported on Monday that one victim had been emailed a demand for US$500 in Bitcoin ‘to protect yourself from potential harm’ in a ‘one-time opportunity’ to have the data removed. The man told RNZ the email was sent to almost 100 other addresses as well as his, from an account that had allegedly be hacked. He has reportedly contacted the Privacy Commissioner, Cert NZ and NetSafe.

The email he received claims the hacker had attempted to negotiate with MediaWorks offering them ‘a very low price to have them secure the data’, but that MediaWorks had refused.

New Zealand law requires organisations to report serious privacy breaches to the Privacy Commissioner.

MediaWorks had not notified the Office of the Privacy Commissioner of the breach last weekend, saying MediaWorks would need to investigate to ascertain the size and scope of the breach and its impact on New Zealanders. MediaWorks says it has now notified the Privacy Commissioner and reported the incident to Cert NZ and the New Zealand Police.

It says it has also updated security measures and engaged external experts to identify and resolve possible security vulnerabilities.

“In line with government advice, MediaWorks has not engaged the attacker,” the company says.

That’s the advice it’s providing to those whose data has been stolen too, saying it strongly advises against payment as there is no guarantee data will be deleted. It urged them to be vigilant with the potential for more targeted attacks such as phishing, to keep an eye on email accounts for anything unusual and check for unauthorised activity and unknown forwarding addresses and to use multi-factor authentication where possible.

The breach comes less than two weeks after Privacy Commissioner Michael Webster called for greater penalties for data breaches in New Zealand.

Speaking at the National Cyber Security Summit in Wellington, Webster said most of the serious breaches reported to his office were happening in the digital world.

“I am concerned that businesses and other organisations rely on digital environments but aren’t well set up to run them safely,” he says.

“The degree of privacy maturity and cybersecurity practice is not as developed as I would have expected, which says to me that people aren’t always motivated to comply with legislation that protects data, like the Privacy Act.”

Webster noted that the most he can fine an organisation for not adhering to a compliance order is just $10,000, versus Australia’s maximum fine of $50 million.

That dismally small fine has been the source of comment on online forums this week in the wake of the MediaWorks breach, with many expressing the view that the low penalties were, at least in part, to blame for organisations keeping reams of personal data on people.

Last March, a breach of Latitude Financial saw drivers license, passport details and sensitive financial data including personal income and expense information of just over one million New Zealanders exposed, in New Zealand’s largest breach.

Millions of Australians were also affected by that breach, which saw up to 14 million customers across the two countries having personal data exposed.