Nine Media Company leaks personal information of 16,000 subscribers
Learn More
Nine, the Australian media company that owns The Sydney Morning Herald, The Age, and The Australian Financial Review, has confirmed a data breach that exposed the personal information of approximately 16,000 subscribers. The exposed data included:
- names,
- full contact details,
- addresses,
- payment information,
The breach was first discovered by a security researcher, whose hobby involves searching for unprotected data hosted on Amazon cloud storage—a common security vulnerability known as "open S3 buckets." According to reports, the researcher notified Nine, the Australian cybersecurity group AUSCERT, and the Australian privacy commissioner about the exposed data on March 19, 2025.
Despite the initial notification, the exposed data was only secured after anoter researcher Martin Seeger and the news outlet Crikey contacted Nine on March 26, a full week after the initial report. A Nine company spokesperson acknowledged the breach, stating: "We have been made aware by a security researcher that certain personal information held by a third-party supplier was not protected to the level of Nine's strict internal data protocols after an unauthorised change."
While the exposed database did not contain credit card or bank account details, Martin Seeger warned that the information still presents significant risks. "There are also payment details (amounts) in [the breach]. That can be easily used by phishing scams to create credibility,"
