Mighty Ape’s boss has fronted for the first time on a privacy issue which saw some users of the online retailer able to log into others’ accounts.
The May 22 breach meant a small group of customers were able to log in and see a stranger’s name, address, partial credit card details, and order history.
Managing director Robert McEwan also discussed an upgrade to Mighty Ape’s platform in October which resulted in a “significant” impact on its NZ operation’s revenue, earnings and customer numbers in the build-up to Christmas.
Mighty Ape’s parent ASX-listed Kogan also noted further troubles with the upgrade in a notice to the Australian stock exchange in May this year.
On June 6, Mighty Ape customer Cody Cooper shared screenshots with the Herald that showed him logged into the account of a Wellington woman. Via her accessible order history, names and addresses of family members were revealed.
Along with the partial credit card details (he could see the first four digits of the number, the final two and the expiry date) he was concerned that the information would be enough to mount a phishing attack (using partial knowledge to draw out full details from a victim to deploy for identity theft).
Cooper was also annoyed that a make-good offer from Mighty Ape (which he had not received) of a $50.00 credit required a minimum $50.01 purchase.
And that there was no option for a user to cancel their Mighty Ape account via the site’s account management console (the option is available via chat or by phoning Mighty Ape).
In a May 30 article, Consumer NZ strongly criticised Mighty Ape’s initial communication to customers, which it saw as too scant in detail.
It did not think the online retailer had taken accountability because it had called the incident a “technical issue”.
The publication said the incident should have been defined as a data breach, not an IT error.
No one at Mighty Ape would confirm details of what happened, including whether users had in fact found themselves logged into each other’s accounts.
In a June 13 interview with McEwan (the earliest he was available after a June 6 request), the Herald asked, was the May 22 incident a privacy breach?
“Oh, absolutely,” McEwan replied.
“And we proactively and voluntarily reached out to the Privacy Commissioner to let them know what had occurred and to share with them the details of what had happened and make sure that the actions that we’re taking were the right actions, including how we communicated to customers and how we’ve addressed the issue moving forward.”
What went wrong?
“We actually found that there was potential for people to be able to view other people’s accounts. In this case, it affected 309 customers, and there was potential for them to then be able to view that account.
“I would definitely like to acknowledge the technical glitch that occurred. It was a caching issue.
“It affected a limited number of customers, and we take ownership for that and apologise for that, and we’ve been working forward with our customers to resolve any issues that may have happened.”
Consumer NZ chief executive Jon Duffy told the Herald, “It’s clear that in some instances users had full access to other users’ accounts and undertook activity with those accounts.”
One had even made an order on another user’s credit card - to see if that was possible - then immediately cancelled the transaction.
“Based on what we have seen, we would expect Mighty Ape’s conversations with the OPC [Office of the Privacy Commissioner] to have also included formal notification of a privacy breach as required by the Act,” Duffy said.
“Unfortunately, Mighty Ape has only provided general details of what has occurred here, so it is difficult to understand the full scale of the breach and make a definitive call.”
A spokeswoman for the Privacy Commissioner confirmed Mighty Ape had been in touch about the breach, but refused to say if it had reached the threshold for a formal notification.
Mighty Ape has never previously defined the “limited number” of users affected. McEwan told the Herald it was 309.
Were the initial communications too vague? (The initial public communication, and all public communications since, has made no mention of users’ being able to log into other users’ accounts.)
“We were quite broad in our statement, and then as we understood the issue further, we went back to those customers that were actually affected, to provide them further information and reassurance,” McEwan said.
“Absolutely we’ve taken ownership of it. We’ve contacted all those customers affected. In fact, initially, we over-communicated.
“We went out to a much broader group than what, as we investigated, was a limited number affected. It affected 309 customers, and there was potential for them to view other people’s accounts.”
But it wasn’t just potential, was it? They found themselves logged into other users’ accounts. They actually were logged into other users’ accounts, the Herald said.
“Yep, that’s correct,” McEwan replied.
The MD said follow-up communications were full and frank, but were narrowcast to only the affected customers.
Privacy expert Frith Tweedie, a former EY partner, technology lawyer and now principal at Simply Privacy, offered more detail on what constitutes a data breach under the Privacy Act 2020 - but added that any organisation involved in a possible data breach had to consider reputational issues as much as the letter of the law.
“The definition of a ‘privacy breach’ is broad and it’s important to understand that they don’t only occur in your classic ‘hacker in a hoodie’ type scenarios,” Tweedie said.
“What matters is that unauthorised people were able to access other users’ personal information [in the Mighty Ape incident], which counts as a ‘privacy breach’ under the Privacy Act.
“The reported access to names, contact details, order history and even partial payment information makes it hard to argue that serious harm wasn’t at least possible, which would make this a ‘notifiable privacy breach’.”
Tweedie added, “Responding to a privacy or data breach isn’t just a legal issue, it’s also about trust”.
“People understand that mistakes happen, but they want fast, clear and direct communication when things do go wrong.
“When an organisation delays acknowledging a breach, or gives incomplete information, it creates unnecessary anxiety and makes people feel like their privacy isn’t being taken seriously.”
Consumer NZ said Mighty Ape should have taken its website offline until the breach was resolved - pointing to the action taken by gaming platform Steam in 2015.
McEwan said there was no need to take the website down as it had contained the issue within two hours.
ASX-listed Australian online retailer Kogan bought Mighty Ape for A$122.4 million ($128.3m) in 2020. As part of the deal, the site’s founder, Simon Barton, and his immediate team stayed on until 2023.
There’s been a flurry of leadership changes since with three chief executives departing since the deal - most recently Daniel Balasoglou in February this year.
Mighty Ape’s website now has the same look design (if different branding) as its Australian parent and Dick Smith, whose online operations were also bought by Kogan.
The upgrade that began in October was designed to introduce more under-the-bonnet Kogan systems. It also added a key new service, Mighty Ape Marketplace, which lets third-party retailers sell their goods via Mighty Ape.
In a half-year results investor presentation, filed to the ASX on February 25, covering the six months to December 31 2024, Kogan said:
“In late October 2024, the Mighty Ape website underwent a major upgrade, introducing enhanced functionality ... Mighty Ape active customers declined following technical issues experienced as part of the Mighty Ape website upgrade.
“Many technical issues identified have been resolved, with a recovery of financial and operational performance expected in the second half of FY2025.”
In the final two months of last year, Mighty Ape only just managed to squeak to a A$100,000 operating earnings profit.
“The technical issues saw adjusted ebitda [earnings before interest, taxes and amortisation] reduce by 96.2% on the previously comparable period over the November and December 2024 peak sales period,” Kogan’s filing said.
Revenue fell 22.1% to A$30m over the two months.
“The team has been diagnosing and remedying many of the major issues, with some work yet to go. We expect to resolve all major issues in the coming period,” the filing said.
It added that McEwan would be taking over from Balasoglou in a “leadership change”.
Balasoglou, who led Mighty Ape for less than a year, had a financial officer background, most recently as Lotto NZ’s CFO.
McEwan has had a career in logistics, including general manager of operations roles for DHL NZ and Ingram Micro NZ (which distributes products for Apple, Cisco, Nvidia and other big tech names.
In a May 20, 2025 business update filing to the ASX, offering a general business update for the quarter to April 30, Kogan said:
“Mighty Ape continued to be impacted by technical challenges following the website platform upgrade announced in February 2025, which affected sales performance and inventory levels.
“Throughout the period, the team progressively resolved several stability issues and gradually progressed towards restoring marketing efficiency.
“Early signs of recovery are evident, with gross sales showing positive momentum driven by the Mighty Ape Marketplace scaling rapidly since launch.
“Over the coming months, Mighty Ape will continue to right-size inventory levels. The company expects Mighty Ape to return to profitable trading performance in FY26.”
McEwan said the upgrade had added many features from Kogan that would benefit customers and make the site more efficient, and that the new Marketplace feature let small retailers reach Mighty Ape’s large-scale audience.
A spokeswoman for the Office of the Privacy Commissioner confirmed Mighty Ape had been in touch to discuss the issue, but would not comment on whether a formal data breach notification had been warranted.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.