A victim of the MediaWorks hack says she is frightened by what the hacker could do with her information. Photo: RNZ / Marika Khabazi
A victim of the MediaWorks hack says she is frightened by what the hacker could do with her information.
More than 400,000 people had their information taken in the cyberattack, with hackers demanding a ransom to take down the stolen data.
On Friday, MediaWorks told affected people the attacker had published their information online. Waikato resident Rebecca was one of them.
"I had no knowledge of the cyberattack at all, until I received an email [from MediaWorks] this morning, around 5.30am. I was very shocked, it caught me off guard. Once I opened it and started reading it, I understood the seriousness of it."
She said the news sparked serious concerns about what could happen next.
"If they have used my email address and they can gather my date of birth and all these sorts of things, what are they going to have access to?
"Do they have access to all my emails? Do they have access to social media accounts? Can they go further than that? Because it has caught me so off guard, I'm so unsure and I don't even know what to do about it".
Rebecca said MediaWorks' email was not very reassuring and the company should do more to support victims of the breach.
"[The email] just kind of says, very broadly, 'they got all of our database'. Essentially 'good luck, here are some tips, go fend for yourselves'.
"I think the approach was fairly wrong. They've just flicked out this general email to everyone and said, 'here is a bunch of links to click'."
Another affected person, an Auckland man who RNZ agreed not to name, claimed he got contacted by the hackers last week.
"I received an email from the hackers on 14 March, telling me that MediaWorks was being dismissive in responding to the hackers, and therefore they were offering me the opportunity to pay US$500 in bitcoin to have my data removed for this possible sale or release."
He said people sharing their information online relied on the security provided by those collecting the data.
"We are just in the hands of the people that receive that data. If we want to participate [in any competitions] we have to provide the data, so we are completely reliant on the people receiving it to ensure its security. [It is] frustrating."
'A pretty bad deal' - cyber security expert
When the cyberattack was identified last week, it was thought as many as 2.5 million people could have been affected.
But MediaWorks later said approximately 403,000 individuals were affected due to an unidentified system vulnerability.
The hacker took information from a database of online competitions from as far back as 2016, including names, dates of birth, addresses and phone numbers. Images or videos could also have been stolen.
Sandfly Security founder Craig Rowland said keeping people's personal information for too long made companies more vulnerable to attacks.
"As we see here, [companies] keep that data around for a very, very long time, even well after they should do. And as that data remains around for a long time, it actually becomes more valuable... and it's more likely to get stolen."
Rowland said a lot of the information collected was unnecessary.
"Why include someone's specific birth date, why not just do an age range? Why does the physical address need to be collected? Why couldn't they just collect the postal code?
"I think there's better ways to keep the data much vaguer."
He argued the lack of regulation on how long companies can keep customers' personal data put people at risk.
"There's essentially no expiration date on [the data stored]. And it's not [just MediaWorks], it's government agencies, banks and other people [that] do this as well.
"There should be time limits imposed on how long companies and even governments can keep this data around, and they should be basically forced to get rid of it after a period of time."
Massive liability
The stolen data could be used for several reasons, including opening several phone accounts under the victim's name.
"And then there are other groups, called access brokers, [who] might try to use your customer access information to gain access into other corporate networks that you might have accounts for," Rowland said.
Once stolen, there was not much a person could do to protect their leaked information.
"I would strongly urge people to put unique passwords on all of your accounts, especially if your email is now floating out there."
He said if in doubt, people should never reply to potential hacker's emails.
"There's no way they're going to delete [your information]. This data is already posted, it's been copied all over the internet, there's no way a single person's going to be able to remove your data, you just need to accept that it's out there.
"It's a scam... you've got to call their bluff."
Rowland said with cyberattacks becoming more frequent, the country should investigate how collected personal data was being stored.
"I don't think New Zealand has that infrastructure set up yet, but they're probably going to have to be a lot more scrupulous in terms of checking people's backgrounds.
"I think [companies] need to really start asking questions about why they are retrieving customer data, and what [they are] going to do if it was ever stolen."
Resolving security vulnerabilities - MediaWorks
MediaWorks chief executive Wendy Palmer said in a statement all the company's IT systems were being reviewed.
"MediaWorks, with the support of external experts, is currently reviewing all other IT systems and cyber security protections to identify and mitigate any other possible security vulnerabilities."
She said the company had taken the affected database offline, moved all current competition entries to a new database and got external experts to resolve security vulnerabilities.
"In line with New Zealand Government guidance, MediaWorks has not engaged with the attacker."
Palmer apologised for the incident, saying the company took data security seriously and it was working hard to make sure it did not happen again.
