Sydney Morning Herald, the Age, the Australian Financial Review suffers a data breach
March 29, 2025 |
The Nine papers group has suffered a data breach involving exposure of its subscribers information, some 16,000 in all (so far). That is particularly embarrassing for a news outlet that usually enjoys breathless reporting of privacy fails of businesses. Here the reporting was by News.com with ‘Juicy customer data’ belonging to thousands of Aussies leaked from Nine, the ABC with Nine newspapers subscribers have data exposed online in breach and the Australian Financial Review with Nine audits external data security after breach exposes 16,000 readers. The Australian, a competitor in the market, gleefully reports on the breach with Sydney Morning Herald, The Age and Financial Review readers exposed in data breach.
The breach was the exposure of names, postal addresses and email addresses of 16,000 subscribers. The information was held by a third party supplier. The cyber attack was of the that supplier. While Nine is keen to state that there was no breach of its (excellent) cyber security structure that does not alter the fact that a third party supplier’s cyber protection was not adequate. This is a very common situation. Large organisations using third party contractors or suppliers is seen as efficient and cost effective. Part of that work usually involves the contractor or suplplier holding the organisations store of personal information or having authorisation to access to the organisation’s homepage. Hackers recognise that many third party suppliers has less effective cyber protection and vulnerable. To avoid this form of attack organisations should do what they can to require third party contractors and suppliers to have satisfactory and complementary cyber protection and systems in place. Unfortunately that is a conversation that is not had enough.
The ABC story provides:
Thousands of the subscribers to Nine newspapers have had their personal data exposed online in a major cybersecurity breach.
Sixteen-thousand subscribers to the Sydney Morning Herald, The Age and The Financial Review had their names, postal addresses and email addresses left exposed online.
A spokesperson for Nine said payment details and passwords were not affected.
Nine said it was first made aware of the hack to a third-party supplier that had access to subscriber’s details by a security researcher.
“We have been made aware by a security researcher that certain personal information held by a third party supplier was not protected to the level of Nine’s strict internal data protocols after an unauthorised change,” a spokesperson said.
“This included a limited number of The Sydney Morning Herald, The Age and The Australian Financial Review print subscriber records.”
The company said there was no breach of its “internal technology infrastructure” and that the data was no longer visible online.
“While there has been no breach of Nine’s internal technology infrastructure, Nine treated this matter seriously and worked with the third party to resolve the issue,” a spokesperson said.
“The customer personal information that was held by the provider was limited to name, postal address and/or email address.
“The data did not include credit card details or passwords.”
The organisation said it was contacting all subscribers who were impacted but the breach could put thousands of users at risk of cyber attacks.
It’s the second major cyber breach to be reported in two days, after 9,000 sensitive court files were downloaded from the NSW Courts online registry last week.
The Australian story provides:
Nine has had no choice but to contact 16,000 subscribers from three of its major mastheads after their data was left exposed online.
Readers of The Sydney Morning Herald, The Age and The Financial Review were left unprotected by one of the publisher’s third-party suppliers that had access to subscriber details.
On Thursday, Nine confirmed that 16,000 subscribers had their names, postal addresses and email addresses exposed online.
No customers’ payment details or passwords were impacted by exposed data, a spokesman said. The breach was first reported by Crikey.
Nine has claimed its own infrastructure remains uncompromised and the data was exposed solely by the third party supplier.
“We have been made aware by a security researcher that certain personal information held by a third party supplier was not protected to the level of Nine’s strict internal data protocols after an unauthorised change. This included a limited number of The Sydney Morning Herald, The Age and Australian Financial Review print subscriber records,” the Nine spokesman said.
Nine had begun reaching out to impacted subscribers to warn them that their information had been exposed online. “While there has been no breach of Nine’s internal technology infrastructure, Nine treated this matter seriously and worked with the third party to resolve the issue,” he said.
“The customer personal information that was held by the provider was limited to name, postal address and/or email address. The data did not include credit card details or passwords. Nine is directly contacting all subscribers whose records were involved.”
Nine said that impacted subscribers would not be compensated. The publisher had advised its customer service team to provide additional support.
Third party suppliers continue to be a prime target for malicious actors and cyber criminals.
These external firms are often baited and exploited by cyber criminals to gain access to larger organisations or are used as an entry point to illegally obtain customer information for the purpose of scams or data brokerage.
On Thursday, the NSW government confirmed 9000 “sensitive court files” had been viewed by a hacker who had breached the Department of Communities and Justice.
NSW police have confirmed a breach took place inside an Online Registry that provides information related to criminal and civil cases in the NSW courts