Mighty Ape boss fronts over glitch that saw some users logged into other users' accounts
Cooper was also annoyed that a make-good offer from Mighty Ape (which he had not received) of a $50.00 credit required a minimum $50.01 purchase.
And that there was no option for a user to cancel their Mighty Ape account via the site's account management console (the option is available via chat or by phoning Mighty Ape).
Mighty Ape's communication to affected customers on May 30, seven days after the incident. Image / Consumer NZ
In a May 30 article, Consumer NZ strongly criticised Mighty Ape's initial communication to customers, which it saw as too scant in detail.
It did not think the online retailer had taken accountability because it had called the incident a 'technical issue'.
The publication said the incident should have been defined as a data breach, not an IT error.
No one at Mighty Ape would confirm details of what happened, including whether users had in fact found themselves logged into each other's accounts.
In a June 13 interview with McEwan (the earliest he was available after a June 6 request), the Herald asked, was the May 22 incident a privacy breach?
'Oh, absolutely,' McEwan replied.
'And we proactively and voluntarily reached out to the Privacy Commissioner to let them know what had occurred and to share with them the details of what had happened and make sure that the actions that we're taking were the right actions, including how we communicated to customers and how we've addressed the issue moving forward.'
McEwan picture in Mighty Ape's warehouse in Silverdale, north of Auckland. Photo / Dean Purcell
What went wrong?
'We actually found that there was potential for people to be able to view other people's accounts. In this case, it affected 309 customers, and there was potential for them to then be able to view that account.
'I would definitely like to acknowledge the technical glitch that occurred. It was a caching issue.
'It affected a limited number of customers, and we take ownership for that and apologise for that, and we've been working forward with our customers to resolve any issues that may have happened.'
309 affected
Consumer NZ chief executive Jon Duffy told the Herald, 'It's clear that in some instances users had full access to other users' accounts and undertook activity with those accounts.'
One had even made an order on another user's credit card - to see if that was possible - then immediately cancelled the transaction.
'Based on what we have seen, we would expect Mighty Ape's conversations with the OPC [Office of the Privacy Commissioner] to have also included formal notification of a privacy breach as required by the Act,' Duffy said.
McEwan says Mighty Ape's upgrade, which began last October, has added many technology features from Kogan that will benefit customers, as well as the new Marketplace that lets third-parties sell via the site. Photo / Dean Purcell
'Unfortunately, Mighty Ape has only provided general details of what has occurred here, so it is difficult to understand the full scale of the breach and make a definitive call.'
A spokeswoman for the Privacy Commissioner confirmed Mighty Ape had been in touch about the breach, but refused to say if it had reached the threshold for a formal notification.
Mighty Ape has never previously defined the 'limited number' of users affected. McEwan told the Herald it was 309.
Were the initial communications too vague? (The initial public communication, and all public communications since, has made no mention of users' being able to log into other users' accounts.)
'We were quite broad in our statement, and then as we understood the issue further, we went back to those customers that were actually affected, to provide them further information and reassurance,' McEwan said.
'Absolutely we've taken ownership of it. We've contacted all those customers affected. In fact, initially, we over-communicated.
'We went out to a much broader group than what, as we investigated, was a limited number affected. It affected 309 customers, and there was potential for them to view other people's accounts.'
But it wasn't just potential, was it? They found themselves logged into other users' accounts. They actually were logged into other users' accounts, the Herald said.
'Yep, that's correct,' McEwan replied.
The MD said follow-up communications were full and frank, but were narrowcast to only the affected customers.
Don't downplay an incident, expert says
Privacy expert Frith Tweedie, a former EY partner, technology lawyer and now principal at Simply Privacy, offered more detail on what constitutes a data breach under the Privacy Act 2020 - but added that any organisation involved in a possible data breach had to consider reputational issues as much as the letter of the law.
'The definition of a 'privacy breach' is broad and it's important to understand that they don't only occur in your classic 'hacker in a hoodie' type scenarios,' Tweedie said.
'What matters is that unauthorised people were able to access other users' personal information [in the Mighty Ape incident], which counts as a 'privacy breach' under the Privacy Act.
'When an organisation gives incomplete information, it creates unnecessary anxiety and makes people feel like their privacy isn't being taken seriously" - Simply Privacy principal Frith Tweedie.
'The reported access to names, contact details, order history and even partial payment information makes it hard to argue that serious harm wasn't at least possible, which would make this a 'notifiable privacy breach'.'
Tweedie added, 'Responding to a privacy or data breach isn't just a legal issue, it's also about trust'.
'People understand that mistakes happen, but they want fast, clear and direct communication when things do go wrong.
'When an organisation delays acknowledging a breach, or gives incomplete information, it creates unnecessary anxiety and makes people feel like their privacy isn't being taken seriously.'
Should Mighty Ape have been taken offline?
Consumer NZ said Mighty Ape should have taken its website offline until the breach was resolved - pointing to the action taken by gaming platform Steam in 2015.
McEwan said there was no need to take the website down as it had contained the issue within two hours.
Under new management
ASX-listed Australian online retailer Kogan bought Mighty Ape for A$122.4 million ($128.3m) in 2020. As part of the deal, the site's founder, Simon Barton, and his immediate team stayed on until 2023.
There's been a flurry of leadership changes since with three chief executives departing since the deal - most recently Daniel Balasoglou in February this year.
Mighty Ape's website now has the same look design (if different branding) as its Australian parent and Dick Smith, whose online operations were also bought by Kogan.
The upgrade that began in October was designed to introduce more under-the-bonnet Kogan systems. It also added a key new service, Mighty Ape Marketplace, which lets third-party retailers sell their goods via Mighty Ape.
Glitch slashes Christmas season earnings
In a half-year results investor presentation, filed to the ASX on February 25, covering the six months to December 31 2024, Kogan said:
'In late October 2024, the Mighty Ape website underwent a major upgrade, introducing enhanced functionality ... Mighty Ape active customers declined following technical issues experienced as part of the Mighty Ape website upgrade.
'Many technical issues identified have been resolved, with a recovery of financial and operational performance expected in the second half of FY2025.'
In the final two months of last year, Mighty Ape only just managed to squeak to a A$100,000 operating earnings profit.
'The technical issues saw adjusted ebitda [earnings before interest, taxes and amortisation] reduce by 96.2% on the previously comparable period over the November and December 2024 peak sales period,' Kogan's filing said.
Revenue fell 22.1% to A$30m over the two months.
'The team has been diagnosing and remedying many of the major issues, with some work yet to go. We expect to resolve all major issues in the coming period,' the filing said.
It added that McEwan would be taking over from Balasoglou in a 'leadership change'.
Balasoglou, who led Mighty Ape for less than a year, had a financial officer background, most recently as Lotto NZ's CFO.
McEwan has had a career in logistics, including general manager of operations roles for DHL NZ and Ingram Micro NZ (which distributes products for Apple, Cisco, Nvidia and other big tech names.
Upgrade blues continued
In a May 20, 2025 business update filing to the ASX, offering a general business update for the quarter to April 30, Kogan said:
'Mighty Ape continued to be impacted by technical challenges following the website platform upgrade announced in February 2025, which affected sales performance and inventory levels.
'Throughout the period, the team progressively resolved several stability issues and gradually progressed towards restoring marketing efficiency.
'Early signs of recovery are evident, with gross sales showing positive momentum driven by the Mighty Ape Marketplace scaling rapidly since launch.
'Over the coming months, Mighty Ape will continue to right-size inventory levels. The company expects Mighty Ape to return to profitable trading performance in FY26.'
McEwan said the upgrade had added many features from Kogan that would benefit customers and make the site more efficient, and that the new Marketplace feature let small retailers reach Mighty Ape's large-scale audience.
A spokeswoman for the Office of the Privacy Commissioner confirmed Mighty Ape had been in touch to discuss the issue, but would not comment on whether a formal data breach notification had been warranted.
Chris Keall is an Auckland-based member of the Herald's business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
NZ Herald
2 days ago
- NZ Herald
Arrest warrants issued for alleged Auckland drug kingpin Andre Francis James in Mexico
An alleged drug kingpin who fled New Zealand before he could be arrested is now believed to be living in Mexico, the Herald can reveal. Andre Francis James was the main target in a covert police investigation, Operation Maddale, into the wholesale distribution of methamphetamine in Auckland, Wellington and Christchurch
Scoop
2 days ago
- Scoop
The Employment Relations Amendment Bill: A State-Sanctioned Assault On The Working Class
The National-ACT-New Zealand First coalition government's Employment Relations Amendment Bill (ERAB), will see a sweeping series of legislative changes that reshape the legal terrain of labour in Aotearoa. These changes, billed by the government as necessary for 'labour market flexibility' and 'economic growth,' represent a radical rollback of worker protections. Cloaked in technocratic language and presented as pragmatic reform, the bill in fact amounts to a systemic attack on organised labour, unionism, and the basic rights of working people. ERAB does not signal the failure of the state to protect workers, it reveals the true nature of the state itself. The bill should be understood not as a policy misstep, but as a calculated act of class warfare by a government acting as the political arm of capital. What the Bill Contains At the heart of the Employment Relations Amendment Bill lies a multi-pronged effort to deregulate labour protections and entrench power in the hands of employers. There are four major pillars to this legislative shift: The Introduction of a 'Contractor Gateway Test' The Limitation of Personal Grievance Remedies The Repeal of the 30-Day Rule for New Employees The Restoration of Employer Powers to Deduct Wages During Partial Strikes Each of these measures contributes to the erosion of worker autonomy and legal protections, and together they mark a sharp rightward shift in employment law—one that prioritises capital accumulation over dignity, security, or fairness. Institutionalising Insecurity: The Contractor Gateway Test Perhaps the most structurally damaging reform is the introduction of a 'contractor gateway test.' This test is intended to establish a legal presumption that certain workers are not employees, but independent contractors—thereby removing them from the protections afforded under the Employment Relations Act. If a worker meets a checklist of conditions (such as having a written contract stating they are a contractor, having the theoretical ability to work for others, and not being penalised for declining work), they can be categorised as contractors regardless of the actual nature of the work. This change is designed to exploit the legal fiction of contractor 'freedom.' In practice, it will increase precarity for thousands of workers who are functionally dependent on a single employer. Gig economy workers, cleaners, hospitality staff, care workers, and migrant labourers will be among the hardest hit – those least able to negotiate or contest exploitative arrangements. By facilitating this mass misclassification, the state legitimises a race to the bottom. Sick leave, minimum wages, overtime, and holiday pay become luxuries rather than rights. Workers will be rendered atomised economic agents, responsible for their own exploitation. Making Workers the Problem: Personal Grievance Restrictions The bill also proposes restricting workers' ability to raise personal grievances, especially in cases of dismissal. Under ERAB, employers may avoid paying compensation if the dismissed worker is deemed to have contributed to their dismissal through 'serious misconduct.' In other words, the government is offering employers legal leeway to terminate employment while avoiding financial consequences. The bill also excludes workers earning more than $180,000 from being able to raise personal grievances, creating a two-tier system in which legal recourse is determined not by the justice of one's case, but by the size of one's paycheque. These provisions are punitive and ideological. They send a clear message: if a worker is sacked, it is probably their own fault. This is not an attempt to resolve disputes fairly – it is a mechanism of discipline. A demoralised, fearful workforce is a compliant one. Attacking Unionism: Repealing the 30-Day Rule Another key component of ERAB is the repeal of the 30-day rule. Previously, when a worker started a job in a workplace with a collective agreement, they would automatically receive the terms of that agreement for their first 30 days. This protected workers from being picked off and offered worse contracts before they had a chance to join a union or understand their rights. Its repeal will allow employers to immediately undercut collective agreements by offering inferior individual contracts. The aim is not to promote fairness—it is to weaken union density, divide workers, and remove the incentive for employers to negotiate with unions at all. It is a classic tactic of divide and rule. Recriminalising Solidarity: Deductions for Partial Strikes Finally, the bill reintroduces employers' ability to deduct pay for 'partial strike' actions—where workers might refuse specific duties while continuing to perform others. Partial strikes are a form of limited industrial action that allow workers to escalate disputes strategically and carefully. Punishing them with pay cuts is intended to suppress this tactic and reassert managerial authority. This reform is aimed squarely at reasserting capital's power to punish resistance. It also represents a symbolic victory for employers: a return to the draconian provisions of the Employment Contracts Act era. A Longer History of Repression While these reforms are severe, they are not novel. Rather, they follow a decades-long trajectory of neoliberal labour market restructuring in Aotearoa. The 1991 Employment Contracts Act, spearheaded by National's Ruth Richardson, abolished compulsory unionism and national awards, deregulating industrial relations and shifting power dramatically towards employers. This was complemented by the broader economic reforms of the Fourth Labour Government, which introduced market logic into almost every facet of public life, including education, health, and welfare. Since then, no government has meaningfully reversed this trend. The Clark government (1999–2008) offered some mild reversals, and the Sixth Labour Government (2017–2023) introduced the Fair Pay Agreements (since repealed). But the fundamental structure of employer dominance has remained untouched. In this light, ERAB is not a betrayal of some progressive consensus. It is a continuation of the neoliberal project with renewed aggression. Its goal is to further erode the legal terrain on which workers might mount a defence. The State as the Manager of Capital Anarcho-communists have long argued that the state does not function as a neutral arbiter in labour relations. It is the executive committee of the ruling class, managing the conditions under which capital can reproduce itself. It may, at times, offer workers concessions such as welfare payments, labour protections, or health and safety laws, but these are always tactical, not moral. They can be revoked as easily as they are granted, and they are most often granted in the wake of unrest or threat. ERAB illustrates this logic perfectly. Rather than responding to a crisis of productivity or economic necessity, it seeks to pre-emptively disarm the working class in anticipation of future struggle. Its goal is to ensure that capital can extract more surplus value with fewer obstacles. In this sense, the bill is not simply anti-worker—it is anti-democratic, in the truest sense. It aims to suppress the ability of people to determine the conditions of their own labour, and thus their own lives. Resistance: Beyond Legalism, Beyond the State Faced with these developments, many liberal commentators and union leaders have called for legal challenges, electoral change, and lobbying. But anarcho-communists recognise that such strategies are insufficient. The state has already shown its allegiances. No matter which party holds office, workers' rights will be contingent on the approval of capital and its political servants. Instead, we must build resistance from below. That means rejecting the logic of legalism and instead fostering the conditions for direct action and solidarity. This includes: -Rebuilding radical, rank-and-file led unions that are accountable to workers, not party officials. -Organising mutual aid networks to provide material support for striking or sacked workers. -Occupying and collectivising workplaces under threat, with or without legal recognition. Conclusion: No Authority but Ourselves The Employment Relations Amendment Bill is not a detour from democratic principles – it is a confirmation that parliamentary democracy in a capitalist state is a dead end for the working class. It consolidates employer power, undermines unionism, and exposes the state's role as an instrument of class domination. But in this dark moment, there is also clarity. The illusions of social partnership, of progressive government, of justice through legislation are burning away. What remains is the possibility of something else: the possibility of worker self-organisation, of mutual aid, of a society based not on hierarchy or profit, but on solidarity and shared need. We must turn away from begging for better laws and begin building our own power. The road ahead is not easy, but it is ours. And as always, it begins not in Parliament but on the shop floor, in the streets, and in the hearts of those who still believe that another world is possible.
Scoop
2 days ago
- Scoop
Biggest Threat To Financial Recovery Is Mad Opposition Parties
"New Zealand just posted the best quarter of economic growth in two years, and it's a tribute New Zealanders," says ACT Leader David Seymour. "Hard working people have knuckled down through a very challenging period and today's figure summarises that. The biggest threat to a recovery is now the destabilising threats of a mad opposition. "New Zealand firms, farms and families are beating the slump induced by Labour's six-year spending, inflation and interest rate nightmare. By contrast, the Coalition Government's approach of managing its own finances carefully mirrors what everyone else in New Zealand had to do while Labour went wild. "I hear every day that the Coalition Government's disciplined approach to its own finances is working. The government is taking a smaller slice of the pie each year, meaning there is more for everyone else to provide for their needs. Employers have more to pay wages, wage earners have more to feed their families, and businesses get the benefit of more spending. In other words, there's a virtuous circle when government gets out of the way. "I also hear real concern that the mad Opposition could upset the apple cart. The Green' so-called alternative Budget, and fiscal plan, are only the latest examples. The Greens suggest the government should take on half a trillion worth of debt. The interest on that debt would be more than we currently spend on education, but they smile on unhinged as if money doesn't matter. "The Greens are a paragon of sanity, though, when compared with Te Pāti Māori, who believe a new tax could raise $200 billion, or about half of all the money made in the New Zealand economy each year. Labour were pretty irresponsible, racking up $150 billion of extra debt in their time. Combined with the other fiscal terrorist outriders, though, they would be catastrophic. "ACT is committed to keeping this Government right where it is, and making it better by pushing harder for more savings every year. Our goal is that growth figures like today are only the beginning and the New Zealand economy gives financial room to breathe for all our futures in this beautiful land."
