Mediaworks hack - 15 March

Forums › Off topic › Mediaworks hack - 15 March

clinty

1182 posts

Uber Geek

Lifetime subscriber

#312092 16-Mar-2024 09:43

NZME is reporting a massive hack on Media works data

Data is being offered on the Darkweb, around 2.4million records including

The alleged hacker claims to have data from 2.461 million NZ citizens. They claim to have, amongst other information, names, home addresses, mobile numbers, email addresses, dates of birth, home phone numbers, user postal codes, user genders, and user IDs....

..... A separate screengrab of information reveals a page of people’s names, postal addresses, email addresses and phone numbers - and how they responded to a recent question on a MediaWorks radio station about which Dragon concert they’d like to attend in 2024.

https://www.nzherald.co.nz/nz/mediaworks-investigating-alleged-data-hack-24-million-customers-personal-details-including-how-they-voted-on-the-block-allegedly-stolen/QKPPHBEEERBJBJGE4ZYERWNJ7Q/

Clint

1 | 2 | 3

32 posts

Geek

Trusted

#3206927 16-Mar-2024 10:14

Yikes, that's a lot of personal information to have floating around on the web!

That puts it in the number one spot for the largest data breach in New Zealand history, the previous being the Latitude Finance breach last year.

I hope this sparks some discussions about data retention and the types of information collected. Surely you don't need home addresses, DoB, genders etc just to enter a competition, those details could be collected once a winner has been chosen?

gzt

17105 posts

Uber Geek

Lifetime subscriber

#3206932 16-Mar-2024 10:24

systemd: Surely you don't need home addresses, DoB, genders etc just to enter a competition, those details could be collected once a winner has been chosen?

The purpose of secondary purpose of many competitions is to generate sales leads for the product or service. DOB I'm thinking that is not usually collected by completions so maybe something else.

kiwifidget

"Cookie"
3415 posts

Uber Geek

Lifetime subscriber

#3206936 16-Mar-2024 10:39

Would that be 2.4m individuals, or maybe fewer individuals of which some may have participated more than once?

Delete cookies?! Are you insane?!

boosacnoodle

963 posts

Ultimate Geek

#3206938 16-Mar-2024 11:01

Reported to Office of the Privacy Commissioner and NZSIS, given the national security aspect.

gehenna

8497 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#3206950 16-Mar-2024 12:08

That's a lot of records for radio users. Makes me wonder if they were holding data from before they sold their TV assets. Which would be bad.

richms

28168 posts

Uber Geek

Trusted

Lifetime subscriber

#3206951 16-Mar-2024 12:20

gehenna:

That's a lot of records for radio users. Makes me wonder if they were holding data from before they sold their TV assets. Which would be bad.

Results in voting for the block, so yeah there is stuff from TV in there. Bad day for wanerbrothersdiscoverynewshubthreenow

Richard rich.ms

alasta

6703 posts

Uber Geek

Trusted

Subscriber

#3206960 16-Mar-2024 14:03

I would be a bit careful what you believe from NZME as they have a history of beating up on their major radio competitor.

Mediaworks' web site is stating that they are 'investigating claims of a cyber security incident relating to competition data'. It seems unlikely that there would be 2.5 million people affected by that.

It does make you realise how much of your personal information is out there though. In the last few years I have been really careful about giving out my details even to trustworthy companies, but I set up a Mediaworks login many years ago when they had TV3 and RadioLive.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

DjShadow

4084 posts

Uber Geek

ID Verified

Trusted

#3206964 16-Mar-2024 14:41

Looking at my profile in the Rova app, there is a fair amount of personal data being held. Have to look at the very bottom of the profile page to find the change password link, but nothing on mediaworks or rova's website to do it from there.

alasta

6703 posts

Uber Geek

Trusted

Subscriber

#3206979 16-Mar-2024 15:50

I just picked a random Mediaworks asset - The Breeze in this case - and tried logging in. They seem to have very little information about me apart from my name, the throwaway email address that I use for this sort of thing, and the year in which I was born. There are fields for actual birthday, but it's stated as 1st of January which is not correct.

There is nothing I can see in relation to physical address details, and even the city field is blank.

Oblivian

7296 posts

Uber Geek

ID Verified

#3207019 16-Mar-2024 21:01

If it wasn't considered already. Many 'why would they need that?' fields seem to be what their ratings system runs on. So I'm not surprised they would try capture it.

DOB for age groups of listeners. But an age in general should suffice.. Address for a an idea on reach of the regionalised shows and competitions, although you would expect that not to be street level UNLESS you were sent something already (MoreFM for instance has a nationwide central morning show, but other slots can depend on your region - different as you change it https://www.morefm.co.nz/home/shows.html )

I suspect for arranging what you can and can't get as part of say a concert prize likely also comes down to your address for travel costs or just tickets etc.

In the background they probably all hold hands and likely have a centralised dbase with it split out into target markets/stations. And target further contact as such too. MoreFM have a rather popular comp on at present. And right at the bottom of their terms:

MediaWorks collects and holds personal information provided by entrants for the purposes of
administering this Promotion and for future MediaWorks promotional purposes. All personal
information provided by entrants will be held by MediaWorks and will not be provided to third
parties unless otherwise specifically set out. Under the Privacy Act 2020, entrants have the right to
access and correct their personal information. Please refer to MediaWorks’ Privacy Policy at
https://images.mediaworks.nz/aem/corporate/Privacy_Notice.pdf for more information about how
MediaWorks uses personal information.

heavenlywild

5060 posts

Uber Geek

Trusted

#3207131 17-Mar-2024 11:54

Just wait for the eventual Foodstuffs and Woolies hack that exposes our faces and other personal details to the world.

This is why no matter how good the privacy policy is it is only good until it's hacked.

CamH

564 posts

Ultimate Geek

#3207139 17-Mar-2024 12:13

I took a look at some of the "sample" data this morning, it does look like all competition / voting data

The headers look like this:

Set 1)

Entry Datetime
Tell us which Dragon gig you would love to win tickets to:
userAddress
gigyaUserId
userRegion
userMobilePhone
userEmail
userGender
userPostalCode
userName
userHomePhone

Set 2)

Entry Datetime
userAddress
gigyaUserId
userRegion
userMobilePhone
userEmail
userGender
userPostalCode
userName
userHomePhone

Set 3)

Entry Datetime
What is your child's name and age?
Do they play Rugby and if so, what team do they play for?
Tell us why your child deserves to win this experience?
Which game would you like to enter for? (You may tick more than one)
Optional Photo, Video or Document here
userAddress
gigyaUserId
userDob
userRegion
userMobilePhone
userEmail
userGender
userPostalCode
userName
userHomePhone

Looks like it's both pre and post TV channel sale data, but also a lot of duplication. I imagine WB won't be too happy about this one as they'll probably cop a lot of the heat despite the fact it was pre-their ownership.

Oblivian

7296 posts

Uber Geek

ID Verified

#3207140 17-Mar-2024 12:28

Both the breeze and the hits appear to have promoted the dragon 50th tour about oct last year. (Touring April)
No sign of announcement comp links on their pages anymore but there are remnants of Facebook ones.

DjShadow

4084 posts

Uber Geek

ID Verified

Trusted

#3207155 17-Mar-2024 14:17

Is there enough information there that someone could commit credit fraud? (noting Drivers License and Passport info is not included)

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#3207159 17-Mar-2024 14:25

alasta:
They seem to have very little information about me apart from my name, the throwaway email address that I use for this sort of thing, and the year in which I was born. There are fields for actual birthday, but it's stated as 1st of January which is not correct.

That'll almost certainly be 1 January 1970, the Unix epoch. My birthday on all sites is 1 January 1970. My address is usually 1060 West Addison, Chicago, Illinois, and my name varies. My password is the name of my parrot, which is currently iV5ORw0KGgo but will change the next time I need it.

Thing is, unless it's a site that's going to ship stuff to you there's absolutely no reason to give them anything useful. You're just a database key somehere, that's all that matters. Bruce Schneier gave this advice at least ten years ago, when you fill out something for a web site, lie about everything you can, only provide legitimate data when there's no other option. This is very hard for most people, who are basically honest, to do.

1 | 2 | 3