New Zealand media company: Hackers directly targeting individuals after alleged data breach
MediaWorks, a company based in New Zealand, says it is investigating an alleged security incident after a hacker claimed to have stolen the data of just over 2.4 million people and began targeting individuals for extortion payments.
The company, which has not yet publicly confirmed that a data breach has taken place, said in a statement on its website that the “claims relate to data from website competition entries.” These have now been moved “to a new secure database.” It’s unclear what the competition was.
According to the hacker — who announced they were attempting to sell the data on a cybercrime forum — the stolen material includes personally identifying information such as names, addresses, dates of birth and phone and email contact details.
MediaWorks has confirmed the database held “name, date of birth, gender, address, post code and mobile number” information, as well as in some cases images or videos uploaded as part of people’s entries to the competition.
Financial details, such as card numbers, and passwords are not believed to be affected.
“We take our data security seriously, and the technology team is investigating the potential incident with the support of external experts. We apologise and will provide more information as it becomes available,” the company added.
The office of New Zealand’s privacy commissioner said on Saturday it had not been notified of a breach, which is only legally required once an incident has been verified.
According to Radio New Zealand, individuals affected by the breach are being targeted for direct extortion by the perpetrator, who — as one recipient said — sent an email demanding $500 in bitcoin to delete the individual’s data before it was sold.
“We attempted to negotiate with MediaWorks by offering a very low price to have them secure the data, but unfortunately, they displayed a disappointing lack of concern and refused. Their dismissive attitude, treating the data as valueless, has led us to consider releasing it publicly” the hackers alleged in their email.
But the recipient noted the message was sent to far fewer than the number of data subjects whom the criminals claimed were affected.
“It’s only a hundred people, not 2.4 million, so I have no idea whether they have exaggerated the hack,” he told Radio New Zealand.
A spokesperson for MediaWorks told the broadcaster: “We are also aware that some individuals may have had direct approaches from the threat actor. Anyone with concerns can get in touch with our privacy office at [email protected].”
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.