Customers were warned their email addresses, phone numbers, postal addresses, and DOBs may have been compromised.
Australian bookstore chain Dymocks has blamed a third-party provider for a data breach that exposed 1.24 million customers’ confidential details on the dark web.
The data breach was revealed by notification service “Have I Been Pwned” (HIBP) creator Troy Hunt who told the retailer that an unauthorised party may have accessed its customer records on Sept. 6.
Mr. Hunt said Dymock’s data was circulating for several days via Telegram channels and a non-dark web forum.
After promptly launching an internal investigation, Dymocks confirmed a third-party partner’s systems had been accessed on Sept. 18.
“We are working with the identified partner to focus on understanding if and how their systems were accessed despite their security measures,”a Dymocks spokesperson said.
“While the extent of the breach had not yet been confirmed, initial indications were that passwords and financial information had not been compromised.”
However, customers were warned their email addresses, phone numbers, postal addresses, genders, and dates of birth formed part of the lost data. Membership details were also potentially leaked.
Dymocks has maintained confidence that, to date, “it does not appear there has been any unauthorised access to our systems. Dymocks takes privacy and security seriously and has a range of measures in place to secure your personal information.”
However, Mr. Hunt said the breach “raises questions about why organisations retain customer data they don’t need” despite praising Dymocks for moving swiftly once informed.
Dymocks promptly engaged with the Office of the Australian Information Commissioner (OAIC) and the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC).
Meanwhile, the data breach highlighted national responses to cyber security could have been better coordinated, according to the newly appointed National Cyber Security Coordinator Darren Goldie.
‘Cyber Knows No Borders’: Goldie
Mr. Goldie said data breach events caused widespread enormous distress and highlighted a lack of cyber defence at the AFR Cyber Summit Australia 2023 on Sept. 19. He said data breaches also caused a rapid change of mindset over the last 12 months, with cyber security becoming a “whole-of-nation conversation.” As a result, he has called for a culture shift in response to cyber security.
He said the shift should evolve cyber “thinking and practices” and that all Australians needed “to take responsibility and play our part.”
The government could do a certain amount of the heavy lifting to bring criminals to justice; however, the private sector needed to improve its own “policies, audits, and training.”
Further, he assured companies it would not mean the government would “vacate the field,” but it would “allow us to equally address the goal of the Cyber Security Strategy 2023-2030—to create a cyber-resilient nation.”
Meanwhile, threat actors worldwide continue to find innovative ways to carry out online attacks in many countries, including Australia.
Heightened Level of Malicious Cyber Activity
Minister for Defence Richard Marles said Australia has experienced an increased volume—and sophistication—of cyber threats, amplifying criminal activity such as extortion, espionage, and fraud.For example, the September 2022 Optus data breach saw hackers demand the telecommunications giant pay them a US$1 million ransom, or they would leak the data of 11 million customers online.
Just three months later, millions of health insurer Medibank’s current and former customers had their personal information exposed.
The company said 9.7 million customers were exposed, including 5.1 million Medibank customers, 2.8 million ahm insurance customers, and 1.8 million international customers.
Since the Optus and Medibank data breaches, further attacks were reported from Woolworth’s MyDeal, EnergyAustralia, Vinomofo, and Medlab.
The ACSC has reported 67,500 incidents—one report every eight minutes—in the 2020-2021 financial year, which is up 13 percent compared to the previous year.
Following the incidents, Australians are now becoming more wary of online safety, with data breaches considered the biggest privacy risk today, according to an OAIC major survey released on Aug. 8.
OAIC Commissioner Angelene Falk said the results were not surprising, with “almost half” of those surveyed saying they were affected by a data breach in the prior year.
The survey findings also revealed strong support for privacy law reform, with Ms. Falk saying the breaches were an opportunity to ensure change.
“The OAIC will use the findings to inform our ongoing input into the review of the Privacy Act and to target our activities at areas of high concern among the community,” Ms. Falk said.
