Mediaworks hack - 15 March

Forums › Off topic › Mediaworks hack - 15 March

1 | 2 | 3

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#3207343 17-Mar-2024 22:10

neb: ... unless it's a site that's going to ship stuff to you there's absolutely no reason to give them anything useful. You're just a database key somehere, that's all that matters. ...

Too true. Even those "favourite holiday destination / 1st school" type security questions can be filled in with random strings from the password generator. They don't have to be "real life" answer / "the truth".

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#3207486 18-Mar-2024 12:42

heavenlywild:
Just wait for the eventual Foodstuffs and Woolies hack that exposes our faces and other personal details to the world.

This is why no matter how good the privacy policy is it is only good until it's hacked.

From what I gather foodstuff’s software only stores facial recognition data locally at the one store and if you’re not a suspect your data is not stored. Unless you know otherwise?

You're not on Atlantis anymore, Duncan Idaho.

gehenna

8667 posts

Uber Geek
+1 received by user: 3883

Moderator

Trusted

Lifetime subscriber

#3207572 18-Mar-2024 17:36

"if you're not a suspect your data is not stored" is the most amibiguous thing I've read in this thread. Not that I'm singling you out because of your comment @MadEngineer... it's more the fact that the stores using the tech are saying that. It's so akin to "if you've nothing to hide you've nothing to worry about" that all I can actually do is worry about it. I have lots to hide, as is my right.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#3207577 18-Mar-2024 17:39

I don’t disagree. If however your images and mine are not even stored then it’s not an issue.

“If you tolerate this then your children will be next”, and Jean-Michel Jarre, Edward Snowden - Exit (youtube.com)

You're not on Atlantis anymore, Duncan Idaho.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#3207664 18-Mar-2024 20:41

So now it's been all but confirmed (naturally they paywalled the link). And individually exploited

https://www.nzherald.co.nz/nz/victim-of-mediaworks-data-breach-have-been-emailed-demanding-cryptocurrency/MSZPEKMM2BGPTIRA6WA64IXDT4/

Wheelbarrow01

1784 posts

Uber Geek
+1 received by user: 2638

Trusted

Chorus

#3207774 18-Mar-2024 22:12

heavenlywild:

Just wait for the eventual Foodstuffs and Woolies hack that exposes our faces and other personal details to the world.

This is why no matter how good the privacy policy is it is only good until it's hacked.

I got shafted at Woolies a week or so ago when I went in there for a shop without a loyalty card (I pretty much never shop there but I was out of town and it was my only option). Astounded to learn from the checkout operator that you can't just have a dumb physical card anymore and that you have to install an app. I've already read about the permissions and liberties you must sign away in order to activate the app. What do the elderly (or anyone) without smartphones do?

In the end I created a burner email address and a fake name just to register, and I've taken a screenshot of the 'rewards' barcode that was generated onscreen before deleting the app. Assuming it works, they won't be tracking me, my location, my online presence or my spending habits through an app.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

RunningMan

9186 posts

Uber Geek
+1 received by user: 4840

#3207805 19-Mar-2024 07:43

Oblivian:

So now it's been all but confirmed (naturally they paywalled the link). And individually exploited

https://www.nzherald.co.nz/nz/victim-of-mediaworks-data-breach-have-been-emailed-demanding-cryptocurrency/MSZPEKMM2BGPTIRA6WA64IXDT4/

Non paywalled here https://www.1news.co.nz/2024/03/18/mediaworks-data-breach-hackers-email-victims-demanding-820/

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#3207815 19-Mar-2024 08:01

I should have clarified, the article itself has quotes saying we are investigating and some light assurances, while there's a link within the article to a paywalled that had me wanting to click saying they had confirmed it

MediaWorks has confirmed a database containing information from individuals who entered its online competitions was breached.

^ hotlinked

cddt

1967 posts

Uber Geek
+1 received by user: 1904

#3207822 19-Mar-2024 08:31

neb:

My birthday on all sites is 1 January 1970.

You too? What are the odds.

My referral links: BigPipe | Mercury

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted

Lifetime subscriber

#3207854 19-Mar-2024 10:19

cddt:

neb:

My birthday on all sites is 1 January 1970.

You too? What are the odds.

For me 01/01/00 is less finger movement & thankfully meets all age requirements these days.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

Rikkitic

Awrrr
19065 posts

Uber Geek
+1 received by user: 16305

Lifetime subscriber

#3207859 19-Mar-2024 10:33

So pleased for yet another affirmation that my decision never to participate in contests, loyalty cards, corporate events of any kind, or ever to reveal my true name, address, age, email, etc., is the right one.

Plesse igmore amd axxept applogies in adbance fir anu typos

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

turtleattacks

1008 posts

Uber Geek
+1 received by user: 305

Trusted

#3208617 20-Mar-2024 14:42

Any one feel that Mediaworks still have not officially made further comment about this Gigya hack apart from their initial release?

Quite a bit of data was hacked, full name, phone number, address and photos of the participant's kids.

Part of me feel that they are just staying quiet and hope it blows away.

----

Creator of whatsthesalary.com and whatstheincometax.com

tripper1000

1648 posts

Uber Geek
+1 received by user: 1176

#3208651 20-Mar-2024 16:03

Wheelbarrow01: .......

In the end I created a burner email address and a fake name just to register, and I've taken a screenshot of the 'rewards' barcode that was generated onscreen before deleting the app.....

Well, do share the screen-shot. That would save the rest of us going through the same the trouble.

jamesrt

1663 posts

Uber Geek
+1 received by user: 942

ID Verified

Trusted

Lifetime subscriber

#3209422 22-Mar-2024 08:30

Apologies in advance for the long post:

Kia ora,

I am writing to you because you have previously entered an online competition with MediaWorks. Unfortunately the database containing information you supplied to MediaWorks when entering the competition has been subject to a cyber attack. The database included entries for online competitions dating back to 2016.

What personal information is affected?

The types of information held in this database and accessed by the attacker include name, date of birth, gender, postal address and/or post code, email address, phone number, and in some cases images or videos that may have been submitted as part of the entry.

Importantly, the affected database did not contain passwords, identity documents, financial information, bank accounts or credit card details.

What do I need to do?

We understand the attacker has published the information online and we recommend the following:

• Be vigilant, you may experience more targeted attacks such as phishing. Watch out for suspicious emails, texts, phone calls or messages on social media. Never respond to these approaches and do not click on any links that look suspicious

• Keep an eye on your email accounts for anything unusual, check for unauthorised activity and unknown forwarding addresses

• Where possible, ensure your online accounts are protected with multi-factor authentication https://www.ownyouronline.govt.nz/personal/get-protected/guides/use-two-factor-authentication-to-protect-your-accounts/

• Never provide your passwords to anyone or allow access to your computer (even if the person says they’re from a credible organisation)

• Make sure your passwords are up to scratch, for guidance on this visit: https://www.ownyouronline.govt.nz/personal/get-protected/guides/how-to-create-good-passwords/

• If you’re worried about your information being used for identity theft, go to: https://www.govt.nz/browse/law-crime-and-justice/identity-theft/

• You can check if you’ve been included in other breaches by visiting https://haveibeenpwned.com

Further general information on online safety, cyber security and helpful tips to protect yourself and respond to scams, identity theft and other online risks, can be found at https://www.cert.govt.nz/individuals/

What if I am contacted by the attacker?

We are aware that some individuals have been contacted by the attacker requesting payment for deletion of their information. If this happens to you, we strongly recommend that you do not pay as there is no guarantee your data will be deleted even if you do pay.

You can find the NZ Government advice on this here:
https://www.dpmc.govt.nz/our-programmes/national-security/cyber-security-strategy/cyber-ransom-advice

How did this happen?

On Friday 15 March we became aware of claims of a cyber-attack on our systems. The affected database was identified and taken offline on Saturday 16 March, and all current competition entries were moved to a new database.

MediaWorks promptly assigned an incident response team to manage the response to the incident and has engaged external IT security and forensic experts to investigate and provide full details of how the attack occurred and what information has been compromised.

From initial investigations, we understand the attacker was able to access the data of approximately 403,000 individuals by exploiting a previously unidentified system vulnerability.

MediaWorks, with the support of external experts, is currently reviewing all other IT systems and cyber security protections to identify and mitigate any other possible security vulnerabilities.

MediaWorks has taken the following steps:

Taken the affected database offline;
Moved all current competition entries to a new database;
Engaged external experts to identify and resolve possible security vulnerabilities;
Updated security measures;
Notified the Privacy Commissioner;
Reported the incident to CERT NZ and the New Zealand Police.
In line with New Zealand Government guidance, we have not engaged with the attacker.

Who can I contact?

If you have any immediate questions or concerns please contact our Privacy Officer at privacy@mediaworks.co.nz.

For advice and assistance, you can report cybersecurity incidents to CERT NZ on their website or phone 0800 CERT NZ.

If we are unable to satisfactorily resolve your questions or concerns, you have the right to make a complaint to the Privacy Commissioner by contacting them through their website at https://www.privacy.org.nz/your-rights/making-a-complaint-to-the-privacy-commissioner/.

We sincerely apologise for any concern and inconvenience that this incident may cause you. We want you to know that MediaWorks takes data security seriously and is working hard to make sure this doesn’t happen again.

Ngā manaakitanga,

Wendy Palmer
CEO MediaWorks

Andib

1396 posts

Uber Geek
+1 received by user: 974

ID Verified

Trusted

#3209423 22-Mar-2024 08:37

Is this a breach of the privacy act? INAL however my understanding of the act is that you can only retain PII while it is relevant to the original reason it was captured.
I would hazard a guess that information captured for a competition 7/8 years ago for a business they no longer own doesn't fit within this requirement.

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

1 | 2 | 3