In a significant cybersecurity incident, a data breach has compromised the personal information of thousands of subscribers to Nine’s media outlets, including the Sydney Morning Herald, The Australian Financial Review, and The Age. Approximately 16,000 individuals have had their names, postal addresses, and email addresses exposed online, raising concerns about the safety and security of consumer data in the digital landscape.
The breach was detected and reported by Kaspar, a security researcher recognized on Mastodon, whose expertise includes identifying misconfigured Amazon S3 cloud storage that inadvertently exposes sensitive data. Following the discovery, reports were made to Nine, AUSCERT, and the Australian Privacy Commissioner on March 19, highlighting a lapse in the security protocols of a third-party supplier that did not align with Nine’s stringent internal data management standards.
Interestingly, a Nine spokesperson confirmed that the breach did not compromise subscribers’ credit card details or passwords. “We were alerted by a security researcher about certain personal information that was inadequately protected after an unauthorized change,” the spokesperson stated. They reiterated that while the breach involved a limited subset of subscriber records, Nine has taken the matter seriously, confirming that there was no infiltration of their internal technology systems.
While the exposed data is no longer available online, Nine is proactively contacting affected subscribers to inform them of the breach. The company’s handling of this incident illustrates the critical importance of robust data protection practices and highlights the potential vulnerabilities that can arise when third-party suppliers are involved.
This incident marks the second notable data breach reported within a week in Australia, following the unauthorized download of a substantial number of court documents from the NSW Department of Communities and Justice. Alerted officers from the state’s Cybercrime Squad are currently investigating the breach which affected the secure presentation of civil and criminal cases on the NSW Online Registry.
As data breaches become increasingly common, a recent report by Australian security firm StickmanCyber emphasized a dramatic rise in major cybersecurity incidents. Between 2022 and 2023, the number of “mega-breaches” affecting more than one million Australians surged to 12, a significant increase from just two such breaches reported from 2018 to 2021. Ajay Unni, CEO of StickmanCyber, highlighted concerns over the growing volume of sensitive information held by businesses, underscoring that as companies handle more data, the risks of exposure grow correspondingly.
For business owners, this breach underscores the importance of stringent security measures and thorough vetting of third-party vendors. The tactics potentially involved in this scenario may align with MITRE ATT&CK frameworks, which detail various adversary methods. Initial access techniques, such as exploiting third-party vulnerabilities or misconfigurations, and persistence tactics that allow attackers to maintain footholds in compromised systems may have been leveraged in this instance.
As cybersecurity threats evolve, entities managing personal data must adopt a proactive and comprehensive approach to mitigate risks associated with data breaches. The current landscape necessitates that businesses not only strengthen their internal security infrastructure but also demand high standards from their external partners to safeguard sensitive consumer information effectively.