Thousands of subscribers affected in Nine-owned news masthead data breach

Thousands of subscribers to major Nine-owned newspapers, including The Sydney Morning Herald, The Australian Financial Review, and The Age, have had their personal information exposed in a recent data breach. The leak, which affected approximately 16,000 individuals, involved names, postal addresses, and email addresses but did not compromise credit card details or passwords, according to a Nine spokesperson.

Nine attributed the breach to an "unauthorized change" by a third-party supplier that led to certain subscriber data not being protected in accordance with the company’s strict security standards. The media organization emphasized that its internal technology infrastructure remained secure and that the compromised information was no longer accessible online.

“We have been made aware by a security researcher that certain personal information held by a third-party supplier was not protected to the level of Nine’s strict internal data protocols after an unauthorized change,” a Nine spokesperson stated. “While there has been no breach of Nine’s internal technology infrastructure, Nine treated this matter seriously and worked with the third party to resolve the issue.”

The company confirmed that it is directly contacting affected subscribers to inform them of the breach. The data exposure was initially discovered by cybersecurity researcher Kaspar, known online as @bucketchallenge@infosec.exchange on Mastodon. Kaspar specializes in identifying unprotected data stored on Amazon cloud storage—commonly referred to as “open S3 buckets.”

Upon finding the exposed data, Kaspar promptly alerted Nine, the Australian cybersecurity group AUSCERT, and the Office of the Australian Information Commissioner (OAIC) on March 19.

The Nine subscriber data leak is the second major security incident reported in Australia within a matter of days. Earlier this week, a breach involving the NSW Department of Communities and Justice led to the unauthorized download of 9,000 court documents, including sensitive records such as domestic violence orders and affidavits.