Mighty Ape: when is a technical glitch a privacy breach?

What happened?

On the evening of Thursday 22 May, online retailer Mighty Ape experienced an IT failure. Users found themselves logged into other customers’ accounts.

Confused customers attempted to contact Mighty Ape to find out what was happening. Some sent emails to the addresses they could see on screen, warning account owners that complete strangers could access their personal information.

On the following day, with still no word from Mighty Ape, others began filling the information gap. At Consumer NZ, we used our social media platforms to warn users that something was going on and they should take precautions.

The next day, more than 36 hours after the problem began, Mighty Ape broke its silence, issuing this statement.

Four days after the event, on 26 May, Mighty Ape managing director Robert McEwan assured us Mighty Ape had been “proactively contacting impacted customers” and “Mighty Ape account holders, including those affected, were notified of the incident”.

Affected users had a different story

Cody Cooper was logged in to several strangers’ accounts while trying to use the website.

As at Wednesday 28 May, he hadn’t been contacted at all by Mighty Ape. He had received no warning that his private information might have been shared. He had received no advice about his potential liability for unwittingly violating others’ privacy.

“Despite their statement to the contrary, I was able to see some credit card details,” said Cody. “This could be used to phish someone.”

Cody said he could also see names, emails, phone numbers, delivery addresses and order histories.

“It seemed to change on every other refresh of the page. I would sometimes see my own details, then sometimes someone else's.”

Another customer said he gained access to four strangers’ accounts that Thursday night.

“On one of those accounts, I was successful in placing an order, which I promptly cancelled,” he said. “I notified Mighty Ape of this but have not heard anything back.”

The customer said he hadn’t logged in. This suggests that anyone visiting the Mighty Ape website would’ve been implicated – even those without an account.

He’d also received “zilch” direct communication from Mighty Ape as at 29 May.

A third Mighty Ape customer wasn’t aware of the issue until they received an email from a stranger.

“This kind person had full access to my account, and instead of purchasing whatever they wanted using my payment details, they emailed me,” they told us. “I got very lucky, I think.”

On Friday 30 May, more than 7 days after the incident, Mighty Ape emailed customers whose accounts were improperly accessed. Credits were loaded to their accounts as an apology.

What the law says

Privacy law in New Zealand is covered by the Privacy Act 2020. The Office of the Privacy Commissioner (OPC) is responsible for administering the act. While our privacy law is often criticised for lacking teeth, the one area where it can bite is in relation to data breaches.

In order to protect consumers, the act’s definition of a privacy breach is broad and includes accidental disclosures.

An agency commits an offence if it experiences a privacy breach that could result in serious harm to individuals and fails to notify affected individuals and report the breach to the OPC.

In such instances, the agency could be liable for a fine of up to $10,000.

Whether a privacy breach could cause serious harm is the key question. If a breach is minor and quickly resolved, while it is still best practice to advise affected individuals, there may not be any legal obligation to notify them or the OPC.

To help agencies work out whether a breach is serious, the act sets out some starters for 10.

Factors to consider are things like:

• the sensitivity of the information

• who has or could have gained access to the information

• the types of harm that could result from the breach.

Data breach or IT error?

Mighty Ape claims this incident is not a data breach. Presumably, this is because those accessing private information were not doing so intentionally.

The incident would therefore fall short of a hack or cyberattack, which are characterised by malicious intent from the intruders.

However, whether customers meant to or not, they still had unauthorised access to personal information. Under New Zealand law, that’s a privacy breach and should be reported as such.

From what we’ve seen, the Mighty Ape incident seems similar to an event that took place on gaming store Steam on Christmas Day 2015. That event was caused by incorrect web caching. Notably, Steam issued a lengthy explanation acknowledging that “sensitive personal information may have been … seen by other users” and made sure to “apologize to everyone whose personal information was exposed by this error”.

We want Mighty Ape to take responsibility

Mighty Ape’s statement and follow-up email gave affected users little information about what the issue was, how long it lasted and what caused it. It was a missed opportunity to take accountability and look after affected customers.

As it stands, we only know about the extent of the breach from private individuals sharing their experiences. Some of these appear to contradict Mighty Ape’s official statements in places.

Claiming that the incident was not a data breach and did not compromise any credit card details is naïve at best and misleading at worst.

If Mighty Ape knew that only users currently using the site were exposed, it should have temporarily taken down the site for everyone while it fixed the problem – as Steam did in 2015.

We will continue to work with both Mighty Ape and the OPC to make sure customers are looked after.