Image: Background image by Markus Spiske (Unplash). Edited by Christine Lai.
Thousands of subscribers under Nine-owned mastheads including the Sydney Morning Herald, The Australian Financial Review and The Age have had their personal data leaked online in a dangerous data breach.
Approximately 16,000 subscribers to the news publications had their names, postal addresses and email addresses exposed online.
Credit card details of subscribers unaffected
A spokesperson for Nine said that card details and passwords were unaffected.
“We have been made aware by a security researcher that certain personal information held by a third party supplier was not protected to the level of Nine’s strict internal data protocols after an unauthorised change,” a Nine spokesperson said.
“This included a limited number of The Sydney Morning Herald, The Age and The Australian Financial Review print subscriber records. While there has been no breach of Nine’s internal technology infrastructure, Nine treated this matter seriously and worked with the third party to resolve the issue,” a spokesperson said.
The company stated that there was no breach of its “internal technology infrastructure” and that the data was no longer accessible online.
“The customer personal information that was held by the provider was limited to name, postal address and/or email address. Nine is directly contacting all subscribers whose records were involved,” they said.
The exposed data was initially discovered by security researcher Kaspar, known by his handle @bucketchallenge@infosec.exchange on Mastodon. He specializes in identifying data hosted on Amazon cloud storage that has been unintentionally left exposed, a problem commonly referred to as “open S3 buckets.”
Kaspar reported the exposed data to Nine, along with Australian cybersecurity group AUSCERT and the Australian Privacy Commissioner, on March 19.
Second Major Data Breach In Three Days
This is the second major data breach that has occurred this week, following the download of 9000 court documents from the NSW Department of Communities and Justice, including domestic violence orders and affidavits.
On Tuesday, officers from the State Crime Command’s Cybercrime Squad were alerted to a breach of the NSW Online Registry website.
The registry is a secure online platform that provides access to information related to both civil and criminal cases within the NSW court system. Investigations are ongoing to determine the full extent of the breach.
Anyone who believes their details may have been compromised is urged to report it through ReportCyber.
Report Reveals Surge in Data Breaches
Last month, a report by Australian security firm StickmanCyber, titled “The Rise of Australian Mega Data Breaches,” analysed data breach reports submitted to the OAIC. It found that between 2018 and 2021, only two mega-breaches affected over a million Australians. However, from 2022 to 2023, that number rose to 12.
“Like the stock market, we expect national data breach figures to rise steadily over the long term, with little fluctuations along the way,” StickmanCyber CEO Ajay Unni said in a statement.
“For mega-breaches to increase so much, so fast, is cause for concern. The problem is that there are now more companies with more data on Australian residents than ever. When they are breached, we are accustomed to the contact, payment, and identification details of millions of people falling into the wrong hands. But we should never accept this as the status quo. Businesses have to do better, or they must leave our data alone,” Unni said.
