Cyber Incident Victim: MediaWorks

On March 1, 2024, an unidentified user posted claims on a dark web forum at approximately 3:00 AM NZDT alleging the theft of data belonging to 2.5 million New Zealanders from MediaWorks. The user stated they intended to sell the data, which reportedly included names, addresses, dates of birth, email addresses, and phone numbers. Additional compromised materials allegedly contained questionnaire responses, videos, music materials, and voting data related to The Block NZ reality competition series. The same user later provided regional data samples in a subsequent post that received 25 views within 10 hours. MediaWorks first became aware of these claims on the evening of March 15, 2024, initiating an investigation into the alleged breach of competition entry data. The Office of the Privacy Commissioner confirmed it had not received formal notification from MediaWorks as of the initial reports.

MediaWorks responded by transferring all active competition entries to a new secure database on March 15 while mobilizing its technology team and external cybersecurity experts to investigate the incident scope. The company acknowledged the breach involved website competition data but did not confirm the validity of the dark web claims regarding the full dataset's extent or the additional materials cited. Potential impacts included exposure of personally identifiable information for millions of New Zealand residents and compromise of proprietary content related to media productions. The Privacy Commissioner emphasized the need for MediaWorks to determine breach parameters before implementing harm mitigation strategies for affected individuals. MediaWorks maintained public communication through a March 1 website update apologizing for the incident while withholding confirmation of data exfiltration specifics pending investigation outcomes.