Mighty Ape boss fronts over glitch that saw some users logged into other users' accounts

Cooper was also annoyed that a make-good offer from Mighty Ape (which he had not received) of a $50.00 credit required a minimum $50.01 purchase.
And that there was no option for a user to cancel their Mighty Ape account via the site's account management console (the option is available via chat or by phoning Mighty Ape).
Mighty Ape's communication to affected customers on May 30, seven days after the incident. Image / Consumer NZ
In a May 30 article, Consumer NZ strongly criticised Mighty Ape's initial communication to customers, which it saw as too scant in detail.
It did not think the online retailer had taken accountability because it had called the incident a 'technical issue'.
The publication said the incident should have been defined as a data breach, not an IT error.
No one at Mighty Ape would confirm details of what happened, including whether users had in fact found themselves logged into each other's accounts.
In a June 13 interview with McEwan (the earliest he was available after a June 6 request), the Herald asked, was the May 22 incident a privacy breach?
'Oh, absolutely,' McEwan replied.
'And we proactively and voluntarily reached out to the Privacy Commissioner to let them know what had occurred and to share with them the details of what had happened and make sure that the actions that we're taking were the right actions, including how we communicated to customers and how we've addressed the issue moving forward.'
McEwan picture in Mighty Ape's warehouse in Silverdale, north of Auckland. Photo / Dean Purcell
What went wrong?
'We actually found that there was potential for people to be able to view other people's accounts. In this case, it affected 309 customers, and there was potential for them to then be able to view that account.
'I would definitely like to acknowledge the technical glitch that occurred. It was a caching issue.
'It affected a limited number of customers, and we take ownership for that and apologise for that, and we've been working forward with our customers to resolve any issues that may have happened.'
309 affected
Consumer NZ chief executive Jon Duffy told the Herald, 'It's clear that in some instances users had full access to other users' accounts and undertook activity with those accounts.'
One had even made an order on another user's credit card - to see if that was possible - then immediately cancelled the transaction.
'Based on what we have seen, we would expect Mighty Ape's conversations with the OPC [Office of the Privacy Commissioner] to have also included formal notification of a privacy breach as required by the Act,' Duffy said.
McEwan says Mighty Ape's upgrade, which began last October, has added many technology features from Kogan that will benefit customers, as well as the new Marketplace that lets third-parties sell via the site. Photo / Dean Purcell
'Unfortunately, Mighty Ape has only provided general details of what has occurred here, so it is difficult to understand the full scale of the breach and make a definitive call.'
A spokeswoman for the Privacy Commissioner confirmed Mighty Ape had been in touch about the breach, but refused to say if it had reached the threshold for a formal notification.
Mighty Ape has never previously defined the 'limited number' of users affected. McEwan told the Herald it was 309.
Were the initial communications too vague? (The initial public communication, and all public communications since, has made no mention of users' being able to log into other users' accounts.)
'We were quite broad in our statement, and then as we understood the issue further, we went back to those customers that were actually affected, to provide them further information and reassurance,' McEwan said.
'Absolutely we've taken ownership of it. We've contacted all those customers affected. In fact, initially, we over-communicated.
'We went out to a much broader group than what, as we investigated, was a limited number affected. It affected 309 customers, and there was potential for them to view other people's accounts.'
But it wasn't just potential, was it? They found themselves logged into other users' accounts. They actually were logged into other users' accounts, the Herald said.
'Yep, that's correct,' McEwan replied.
The MD said follow-up communications were full and frank, but were narrowcast to only the affected customers.
Don't downplay an incident, expert says
Privacy expert Frith Tweedie, a former EY partner, technology lawyer and now principal at Simply Privacy, offered more detail on what constitutes a data breach under the Privacy Act 2020 - but added that any organisation involved in a possible data breach had to consider reputational issues as much as the letter of the law.
'The definition of a 'privacy breach' is broad and it's important to understand that they don't only occur in your classic 'hacker in a hoodie' type scenarios,' Tweedie said.
'What matters is that unauthorised people were able to access other users' personal information [in the Mighty Ape incident], which counts as a 'privacy breach' under the Privacy Act.
'When an organisation gives incomplete information, it creates unnecessary anxiety and makes people feel like their privacy isn't being taken seriously" - Simply Privacy principal Frith Tweedie.
'The reported access to names, contact details, order history and even partial payment information makes it hard to argue that serious harm wasn't at least possible, which would make this a 'notifiable privacy breach'.'
Tweedie added, 'Responding to a privacy or data breach isn't just a legal issue, it's also about trust'.
'People understand that mistakes happen, but they want fast, clear and direct communication when things do go wrong.
'When an organisation delays acknowledging a breach, or gives incomplete information, it creates unnecessary anxiety and makes people feel like their privacy isn't being taken seriously.'
Should Mighty Ape have been taken offline?
Consumer NZ said Mighty Ape should have taken its website offline until the breach was resolved - pointing to the action taken by gaming platform Steam in 2015.
McEwan said there was no need to take the website down as it had contained the issue within two hours.
Under new management
ASX-listed Australian online retailer Kogan bought Mighty Ape for A$122.4 million ($128.3m) in 2020. As part of the deal, the site's founder, Simon Barton, and his immediate team stayed on until 2023.
There's been a flurry of leadership changes since with three chief executives departing since the deal - most recently Daniel Balasoglou in February this year.
Mighty Ape's website now has the same look design (if different branding) as its Australian parent and Dick Smith, whose online operations were also bought by Kogan.
The upgrade that began in October was designed to introduce more under-the-bonnet Kogan systems. It also added a key new service, Mighty Ape Marketplace, which lets third-party retailers sell their goods via Mighty Ape.
Glitch slashes Christmas season earnings
In a half-year results investor presentation, filed to the ASX on February 25, covering the six months to December 31 2024, Kogan said:
'In late October 2024, the Mighty Ape website underwent a major upgrade, introducing enhanced functionality ... Mighty Ape active customers declined following technical issues experienced as part of the Mighty Ape website upgrade.
'Many technical issues identified have been resolved, with a recovery of financial and operational performance expected in the second half of FY2025.'
In the final two months of last year, Mighty Ape only just managed to squeak to a A$100,000 operating earnings profit.
'The technical issues saw adjusted ebitda [earnings before interest, taxes and amortisation] reduce by 96.2% on the previously comparable period over the November and December 2024 peak sales period,' Kogan's filing said.
Revenue fell 22.1% to A$30m over the two months.
'The team has been diagnosing and remedying many of the major issues, with some work yet to go. We expect to resolve all major issues in the coming period,' the filing said.
It added that McEwan would be taking over from Balasoglou in a 'leadership change'.
Balasoglou, who led Mighty Ape for less than a year, had a financial officer background, most recently as Lotto NZ's CFO.
McEwan has had a career in logistics, including general manager of operations roles for DHL NZ and Ingram Micro NZ (which distributes products for Apple, Cisco, Nvidia and other big tech names.
Upgrade blues continued
In a May 20, 2025 business update filing to the ASX, offering a general business update for the quarter to April 30, Kogan said:
'Mighty Ape continued to be impacted by technical challenges following the website platform upgrade announced in February 2025, which affected sales performance and inventory levels.
'Throughout the period, the team progressively resolved several stability issues and gradually progressed towards restoring marketing efficiency.
'Early signs of recovery are evident, with gross sales showing positive momentum driven by the Mighty Ape Marketplace scaling rapidly since launch.
'Over the coming months, Mighty Ape will continue to right-size inventory levels. The company expects Mighty Ape to return to profitable trading performance in FY26.'
McEwan said the upgrade had added many features from Kogan that would benefit customers and make the site more efficient, and that the new Marketplace feature let small retailers reach Mighty Ape's large-scale audience.
A spokeswoman for the Office of the Privacy Commissioner confirmed Mighty Ape had been in touch to discuss the issue, but would not comment on whether a formal data breach notification had been warranted.
Chris Keall is an Auckland-based member of the Herald's business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Scoop

2 hours ago

• Scoop

Labour Will Repeal Regulatory Standards Bill

Labour will repeal the Regulatory Standards Bill in its first 100 days in Government. 'The Regulatory Standards Bill has no place in a fair and democratic New Zealand and Labour is committed to repealing it in our first 100 days if elected next year,' Labour justice spokesperson Duncan Webb said. 'This Bill is another concession by Christopher Luxon to ACT that puts corporate interests ahead of the public good, making it harder to pass laws that protect people and the environment. 'Under the Regulatory Standards Bill, laws that would keep people healthy and safe, like requiring landlords to heat homes, limiting the sale of vapes, or keeping our air and water clean would be at risk. 'It allows David Seymour to create his own hand-picked 'appeals body of regulatory economists' to criticise laws that are out of line with his minority views. 'Put another way, it takes power away from communities and hands it to corporate friends of the ACT Party. 'Christopher Luxon was too weak to stand up against it, but Labour will repeal it,' Duncan Webb said.

NZ Herald

4 hours ago

• NZ Herald

Man hands himself in to Auckland Sikh temple after alleged machete attack

A man involved in an alleged machete attack on the grounds of a South Auckland Sikh temple has handed himself in to authorities at the same temple. Daljit Singh, a spokesman for the Supreme Sikh Society of New Zealand, told the Herald the man had contacted them wanting to carry

Scoop

5 hours ago

• Scoop

Increase In Awareness Of Whistleblowing Legislation

Awareness is at an all-time high of the law that allows people to report serious wrongdoing in the workplace and provides protection to whistleblowers. Today is World Whistleblowing Day and the Office of the Ombudsman has released an annual poll that shows 36 percent of people know about the Protected Disclosures Act. That's an increase of 11 percent since 2024. Chief Ombudsman John Allen says his office has also seen a significant rise in protected disclosures since the new Protected Disclosures (Protection of Whistleblowers) Act came into force in 2022. "This survey reflects what my office is seeing when we are out and about in communities around New Zealand. There is very high interest in the Protected Disclosures Act and how to make a protected disclosure, particularly amongst Māori, Pasifika and Asian communities. "People are using this Act more and more. My office has seen more than a 300 percent increase in protected disclosures matters since the amended Act came into force. This may be because the revised Act expands the definition of serious wrongdoing and offers more avenues for reporting and protection. "Other factors could include an increase in news coverage of whistleblowing cases and it may be that changes in society have prompted workers to become more aware of their rights and protections." Thirty one percent of those surveyed said they had witnessed serious wrongdoing at work, and of those who had witnessed it 50 percent said they reported it. That's an increase of nine percent on the previous year in people reporting serious wrongdoing that they had witnessed. Advertisement - scroll to continue reading A solid majority - 84 percent - stated they would report it to their employer if they witnessed serious wrongdoing. However, just under half (48 percent) thought they would be safe to do so. Of those who would not feel safe, an increasing number of people said they were afraid of losing their job (61 percent). Almost half of those who would not feel safe (44 percent) also thought they would face retaliation. Almost half of those surveyed (49 percent) said they would feel safer reporting serious wrongdoing if they were assured of anonymity and confidentiality. This demonstrates how important it is for workplaces to have effective processes in place to encourage employees to speak out, protect them from retaliation, and keep their identities confidential. The Office of the Ombudsman has released new guidance aimed at businesses and workplaces that receive protected disclosures: