Hackers connected to a MediaWorks data breach are demanding a ransom of US$500 (NZ$820) in cryptocurrency from one of the victims of the data leakage.
MediaWorks has confirmed a database containing information from individuals who entered its online competitions has been breached.
It follows a post on an internet forum on Thursday, which claimed to have stolen data from 2.5 million New Zealanders.
The author of the post said they planned to sell the information, which included people's names, addresses, dates of birth, and contact details.
One man - who did not wish to be named - told RNZ he had received an email, purportedly from the hackers, on Thursday. He said it had been sent to almost 100 other addresses, from an account that had allegedly been hacked.
The subject line of the email read: "Attention! Your data has been leaked!".
"We are writing to inform you of a concerning data breach at MediaWorks New Zealand that has compromised the personal information of 2.5 million New Zealand citizens, including yours. We attempted to negotiate with MediaWorks by offering a very low price to have them secure the data, but unfortunately, they displayed a disappointing lack of concern and refused. Their dismissive attitude, treating the data as valueless, has led us to consider releasing it publicly," it said.
"Therefore, we are contacting you because your information is part of the leaked data. To protect yourself from potential harm, we are offering a one-time opportunity to have your data removed for a fee of $500 USD in Bitcoin (BTC). This fee helps us cover the costs associated with recovering and deleting your data."
The man said he initially deleted the email, but restored it after hearing news reports about the alleged hack. He had contacted the Privacy Commissioner, CERT NZ, and Netsafe on Monday, he said.
"I also did try and contact MediaWorks but as yet I haven't had a call back from them."
The man, who described himself as "a prolific enterer of competitions via the internet", thought the hack to be genuine.
"I believe it is real based on the email that I received and noting the number of people whose email addresses were disclosed in that email to me as well. But it's only a hundred people, not 2.4 million, so I have no idea whether they have exaggerated the hack," he said.
"I'm personally not too worried, it just could be a bit of a pain if they suddenly decide that they're going to target me with a lot of spam or phishing and unneccessary phone calls."
In a statement, MediaWorks said it became aware of the claims on Friday night. It continued to investigate which parts of the database had been accessed and how the hack had happened.
The company said initial assessments indicated the number of people in the database was significantly lower than reported.
"As soon as we identified the database concerned it was taken offline and all current competition entries have been moved to a new secure database," a spokesperson said.
"The type of information held in this database includes name, date of birth, gender, address, post code and mobile number. In some cases competition entrants may have uploaded images or videos as part of their entry. The database does not include any passwords, financial information, bank accounts or credit card details."
MediaWorks was in contact with the appropriate authorities and would communicate directly with affected people, it said.
"We are also aware that some individuals may have had direct approaches from the threat actor. Anyone with concerns can get in touch with our privacy office at privacy@mediaworks.co.nz," the spokesperson said.
"Cert NZ recommends whenever you follow a link to a screen that's asking you to log in or enter personal details, you check the domain name in the browser address bar matches the company you expect before you enter any information. Cert NZ also advises against engaging with threat actors or paying ransom for the return of data.
"MediaWorks is sorry for the concern this is causing."
The Office of the Privacy Commissioner said it did not comment on breaches as they were happening.
"It's a core part of our secrecy provision that organisations can disclose to us fully without the worry that we'll publicly disclose their information."
Anyone who found or received information related to this, or any other cyberattack or breach, should not share the content and should report it to the police, a spokesperson said.