Bunnings Customer Data Compromised

0

By Staff Writer.

The names and email addresses of thousands of Bunnings Drive and Collect customers may have been compromised in the FlexBooker Christmas time data breach.

Bunnings contacted customers on Wednesday to inform them hackers may have stolen some of their personal data after FlexBooker’s data storage on the Amazon Cloud platform was accessed and downloaded on December 23.

FlexBooker provides customised appointment scheduling software to Bunnings and many other businesses. Hackers stole the personal data of approximately 3.7 million people in the December attack.

Bunnings’ drive and collect service allows customers to purchase products online, book in a time for a contactless pickup, drive to the store, park in the drive and collect bays, and have the purchased products loaded into the customer’s car.

“We wanted to let you know that we have recently been made aware of a data security breach experienced by our third-party booking provider, FlexBooker,” Bunnings told its impacted customers on Wednesday.

“Please be assured that passwords, credit card information and mobile numbers are not collected when using FlexBooker to make a booking with us, and we are confident that none of these categories of customer data have been compromised. “

Customers of some other businesses using FlexBooker were not so lucky. FlexBooker has recently confirmed the hackers obtained the last three digits of customer credit numbers in the attack. However, they say the hackers did not get the full card numbers, expiry dates, or CCVs.

Microsoft Regional Director Troy Hunt says the data stolen in the FlexBooker attack was being actively traded on a popular hacking forum.

“The data included email addresses, names, phone numbers, and for a small number of accounts, password hashes and partial credit card data,” he says.

The December deep denial of service attack on FlexBooker’s account on Amazon’s AWS servers saw the company’s customers unable to access their accounts and FlexBooker unable to service those accounts.

“As part of the incident, our system data storage was also accessed and downloaded,” FlexBooker says. At the time, FlexBooker called the attack a “massive deep denial of service attack.” The attack caused widespread outages of FlexBooker’s core application functionality.

After working with Amazon, the company restored services within 12 hours of the first outage. In the aftermath, FlexBooker acknowledged that hackers stole a “certain set” of data from some customers. At the time. FlexBooker said the stolen data did not include credit card or other payment card numbers.

The company also added customer passwords included in the data were encrypted and that the encryption key was not accessed or downloaded.

Bunnings told customers it is working with FlexBooker to understand how the breach occurred in their systems and the extent of the impact. The company has also notified the Office of the Australian Information Commissioner (OAIC) in line with the mandatory Notifiable Data Breaches scheme.

“We take the privacy and the protection of customer information very seriously, and we sincerely regret that this has happened,” the hardware giant said.

Share.