The breach
It is not common for the victim of a leak to be, itself, a media company. The cyber-extortion group World Leaks claimed an attack on Mediaworks, one of Hungary’s largest media companies, and published about 8.5 terabytes of files on its dark-web site. The Record, from Recorded Future News, confirmed the operation on 4 May 2026, whose first listing on the World Leaks platform had appeared on 28 April. The Hungarian data protection authority later put the stolen material, based on press reports, at nearly 15 million files — about 8.5 TB.
The target is no small thing on the country’s political map. Mediaworks publishes dozens of regional dailies, magazines and portals, and is regarded as the operational center of the press ecosystem aligned with Prime Minister Viktor Orbán.
What is in the files
The content goes beyond corporate paperwork, according to those who reviewed it. Local outlets that examined the dump reported employee payroll, contracts with vendors and advertisers — including agreements with state-owned enterprises — financial statements and internal communications. One element drew political attention, and here caution is required. Several independent outlets published that among the documents were notes from a January 2025 editorial meeting suggesting that someone would “contact Moscow” for help with articles discrediting Ukrainian President Volodymyr Zelensky. Recorded Future News noted that it could not independently verify the authenticity of the leaked data or of the alleged memo.
The twist: the outlet asks that it not be reported
What turns this into a press case, and not only a cybersecurity one, is the company’s reaction. Mediaworks confirmed the incident and asked journalists not to report on the leaked material, arguing that using data obtained by criminal means could constitute a crime under Hungarian law. The company threatened legal action against outlets that published; the portal Media1, one of those targeted, replied that it would not comply with what it called a “censorship attempt,” holding that the information was of public interest given the country’s political alignment and its stance on the war in Ukraine. Press-freedom advocates described Mediaworks’s takedown demands as a use of breach-response procedures to suppress legitimate journalism about its own newsrooms.
The authority, in a double position
The regulator ended up as both investigator and guardian of the leaked data. The National Authority for Data Protection and Freedom of Information (NAIH) opened an ex officio investigation after learning of the case through the press, and noted that the files included names, addresses and bank details, alongside documents classified as of public interest. At the same time, the authority asked media organizations not to publish links or information enabling access to the leaked data, and warned that the material’s public availability does not make its subsequent processing lawful under the GDPR. There lies the tension the case exposes: the same principle that protects a person from having their bank details spread can be invoked to halt coverage of a matter of public interest.
Why a breach at a media outlet is different
There is a risk that does not appear in most corporate leaks. As analysts warned, the internal records of a journalistic company contain the contact details of confidential sources — dissidents, whistleblowers, people with government information — who spoke on condition that their identity be protected, so a dump of editorial email voids those agreements at a stroke. World Leaks’ model makes the problem worse: emerging in 2025 as a rebrand of Hunters International, it dropped encryption to focus on stealing and publishing data, a variant that backup-focused defenses do not solve.
Two readings
The case admits two legitimate readings, and both should be held. For Mediaworks and, in its protective role, for the data protection authority, spreading unlawfully obtained information violates third parties’ rights and may break the law. For independent outlets and press-freedom advocates, the editorial content of a group aligned with power is precisely what public scrutiny needs to know, and data protection should not operate as a shield against journalism. The case is not resolved by picking a side, but by recognizing that two rights — the privacy of the people named in the files and the public interest in how a media empire works — collide in the same file. Pending, too, is the most basic thing for a data newsroom: that the authenticity of the material, today not independently verified, be confirmed before it is taken as true.