What Happened
In March 2023, New Zealand media company MediaWorks suffered a data breach when hackers exploited an unidentified system vulnerability to access a database of online competition entries dating back to 2016, initially claimed to affect 2.5 million records but later clarified by the company as 403,000 individuals (with Have I Been Pwned reporting 162,700 unique email addresses). The exposed data included names, dates of birth, genders, physical addresses, phone numbers, email addresses, and in some cases competition responses, images, or videos, but no passwords, financial details, or credit card information. Hackers posted samples on hacking forums like BreachForums (later seized by the FBI and partners including NZ Police), offered the data for sale on the dark web, and emailed victims demanding US$500 (NZ$820) in Bitcoin to delete their records, which MediaWorks and experts advised against paying. MediaWorks took the database offline, migrated current entries to a secure system, notified affected individuals and the Privacy Commissioner (four days after discovery on March 15), and collaborated with authorities while urging victims to contact their privacy office.
