Customers were warned their email addresses, phone numbers, postal addresses, and DOBs may have been compromised.
Australian bookstore chain Dymocks has attributed a data breach, exposing 1.24 million customers’ confidential details on the dark web, to a third-party provider.
The data breach was brought to light by Troy Hunt, the creator of the notification service “Have I Been Pwned” (HIBP), who informed the retailer that an unauthorized party may have gained access to its customer records on Sept. 6.
Mr. Hunt revealed that Dymocks’ data had been circulating on Telegram channels and a non-dark web forum for several days.
Following a prompt internal investigation, Dymocks confirmed that the systems of a third-party partner had been breached on Sept. 18.
A spokesperson for Dymocks stated, “We are collaborating with the identified partner to understand if and how their systems were accessed despite their security measures.”
Although the extent of the breach has not been fully determined, initial findings suggest that passwords and financial information were not compromised.
However, customers were notified that their email addresses, phone numbers, postal addresses, genders, dates of birth, and membership details may have been part of the exposed data.
Meanwhile, Dymocks expressed confidence that there has been no unauthorized access to their own systems. They emphasized their commitment to privacy and security and assured customers that they have implemented various measures to protect personal information.
However, Mr. Hunt raised concerns about why organizations retain unnecessary customer data, although he praised Dymocks for acting promptly upon being informed of the breach.
Dymocks promptly engaged with the Office of the Australian Information Commissioner (OAIC) and the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC).
Furthermore, the data breach highlighted the need for better coordination of national responses to cybersecurity, according to Darren Goldie, the newly appointed National Cyber Security Coordinator.
‘Cyber Knows No Borders’: Goldie
Mr. Goldie emphasized that data breach events have caused significant distress and exposed the lack of cyber defense. He called for a culture shift in response to cybersecurity, stating that all Australians should take responsibility and play their part.
While the government can take action to bring criminals to justice, Mr. Goldie also highlighted the need for the private sector to improve its own policies, audits, and training.
He reassured companies that the government will not retreat but instead aims to create a cyber-resilient nation as part of the Cyber Security Strategy 2023-2030.
Meanwhile, threat actors continue to find new ways to carry out online attacks, not only in Australia but worldwide.
Heightened Level of Malicious Cyber Activity
Australian Minister for Defence Richard Marles noted an increase in the volume and sophistication of cyber threats, leading to criminal activities such as extortion, espionage, and fraud.
For instance, the September 2022 Optus data breach involved hackers threatening to leak the data of 11 million customers online unless the telecommunications giant paid a US$1 million ransom.
Similarly, millions of current and former customers of health insurer Medibank had their personal information exposed in another breach.
Since these incidents, there have been further attacks reported from Woolworth’s MyDeal, EnergyAustralia, Vinomofo, and Medlab.
The ACSC reported 67,500 incidents—a report every eight minutes—during the 2020-2021 financial year, a 13% increase compared to the previous year.
These incidents have made Australians more aware of online safety, with data breaches seen as the leading privacy risk according to a major survey conducted by OAIC.
OACI Commissioner Angelene Falk expressed that the survey findings support the need for privacy law reform and will guide their ongoing input into the review of the Privacy Act.