Cyber Security Update and FAQ
MediaWorks today notified around 403,000 individuals that information they supplied as part of a competition entry had been involved in a cyber attack. The affected database included entries for online competitions dating back to 2016.
The types of information held in this database and accessed by the attacker include name, date of birth, gender, postal address and/or post code, email address, phone number, and in some cases images or videos that may have been submitted as part of the entry. Importantly, the affected database did not contain passwords, identity documents, financial information, bank accounts or credit card details. MediaWorks became aware of claims of a cyber-attack on Friday March 15. The affected database was identified and taken offline on Saturday 16 March, and all current competition entries were moved to a new database.
MediaWorks promptly assigned an incident response team to manage the response to the incident and engaged external IT security and forensic experts to investigate and provide full details of how the attack occurred and what information was compromised. From initial investigations, MediaWorks understands the attacker was able to access the data by exploiting a previously unidentified system vulnerability. We understand the attacker has published the information online.
MediaWorks, with the support of external experts, is currently reviewing all other IT systems and cyber security protections to identify and mitigate any other possible security vulnerabilities.
We have taken the following steps:
- Taken the affected database offline;
- Moved all current competition entries to a new database;
- Engaged external experts to identify and resolve possible security vulnerabilities;
- Updated security measures;
- Notified the Privacy Commissioner;
- Reported the incident to CERT NZ and the New Zealand Police;
- In line with New Zealand Government guidance, MediaWorks has not engaged with the attacker.
MediaWorks CEO Wendy Palmer apologised for the concern and inconvenience caused by the incident. “We want you to know that MediaWorks takes data security seriously and is working hard to make sure this doesn’t happen again.”
FAQs
Which IT systems of MediaWorks were compromised?
An unauthorised party was able to gain access to our competition database with data from around 403,000 people who entered MediaWorks competitions between 2016 and 2024.
Were MediaWorks’ systems not secure?
From initial investigations, we understand the attacker exploited a previously unidentified system vulnerability. MediaWorks, with the support of external experts, is currently reviewing all other IT systems and cyber security protections to identify and mitigate any other possible security vulnerabilities.
What personal information is at risk?
The types of information held in this database include name, date of birth, gender, postal address and/or post code, email address, phone number, and in some cases images or videos that may have been submitted as part of the entry. Importantly, the affected database did not contain passwords, identity documents, financial information, bank accounts or credit card details.
What has MW done in response to the incident?
MediaWorks has taken the following steps:
- Taken the affected database offline;
- Moved all current competition entries to a new database;
- Engaged external experts to identify and resolve possible security vulnerabilities;
- Updated security measures;
- Notified the Privacy Commissioner;
- Reported the incident to CERT NZ and the New Zealand Police;
- In line with New Zealand Government guidance, we have not engaged with the attacker.
What should affected individuals do?
We understand the attacker has published the information online and we recommend the following:
- Be vigilant, you may experience more targeted attacks such as phishing. Watch out for suspicious emails, texts, phone calls or messages on social media. Never respond to these approaches and do not click on any links that look suspicious
- Keep an eye on your email accounts for anything unusual, check for unauthorised activity and unknown forwarding addresses
- Where possible, ensure your online accounts are protected with multi-factor authentication
- Never provide your passwords to anyone or allow access your computer (even if the person says they’re from a credible organisation)
- Make sure your passwords are up to scratch, for guidance on this visit.
- If you’re worried about your information being used for identity theft, go to.
- You can check if you’ve been included in other breaches by visiting.
- Further general information on online safety, cyber security and helpful tips to protect yourself and respond to scams, identity theft and other online risks, can be found here.
What if I am contacted by the attacker?
We are aware that some individuals have been contacted by the attacker requesting payment for deletion of their information. If this happens to you, we strongly recommend that you do not pay as there is no guarantee your data will be deleted even if you do pay. You can find the NZ Government advice on this here.
Has the incident been reported?
Yes, the incident has been notified to the Privacy Commissioner, and reported to CERT NZ and the New Zealand Police.
Who should I contact if I have further queries?
If you have any immediate questions or concerns please contact our Privacy Officer at privacy@mediaworks.co.nz. For advice and assistance, you can report cybersecurity incidents to CERT NZ on their website or phone 0800 CERT NZ.
If we are unable to satisfactorily resolve your questions or concerns, you have the right to make a complaint to the Privacy Commissioner by contacting them through their website at https://www.privacy.org.nz/your-rights/making-a-complaint-to-the-privacy-commissioner/.
