Written by staff writer.
A cyber-attack targeting Australian bookseller Dymocks occurred around the time it switched to a new loyalty software provider. Over one million Dymocks customers had their personal information stolen during the mid-year hack on the third-party provider.
Dymocks CEO Mark Newman says its investigation of the data breach has concluded. While the investigation failed to discover who stole the data, it did determine that an unknown person stole access keys for a web server used by the unidentified third-party provider, with the hacker going on to use the keys to access the provider’s servers.
Newman says the provider was temporarily storing the customer data in a separate web server so it could import the contact information into its loyalty platform. He says there is no evidence to suggest that the hackers compromised the security protection measures for the Dymocks loyalty platform.
“Our forensic experts reviewed the key evidence provided by the new loyalty provider to confirm the cause of the data breach,” Newman told impacted customers via email on October 4. “Whilst we don’t know how the access key was taken or the identity of the cybercriminal who stole the contact information, we do know that the data found its way to the dark web.”
Dymocks shifted to a new loyalty software provider in June following a tender process after their previous provider exited the business. Newman says running a loyalty program is complex, and they, like many retailers, use third-party specialists for their expertise in loyalty data processing and email marketing.
“We keep the identity of the third-party providers confidential to protect your contact information. We can confirm that contact information was provided to a loyalty software provider and an email marketing provider,” the customer letter reads.
Having settled on a new loyalty software provider, Newman says Dymocks conducted a full review of their security and data practice. Despite this, the hackers obtained the full names, email addresses and/or mobile numbers of 1.24 million Dymocks customers who had joined its longstanding Booklover loyalty program.
Dymocks does not retain highly sensitive information such as driver’s licence details, credit card information, or passwords. Newman says this is a deliberate policy to minimize customer risk if a cyber-attack occurs.
Dymocks became aware of the cyber-attack on September 6, 2023, after a tipoff from cybersecurity consultant Troy Hunt. He says the Dymocks customer data had been circulating on Telegram channels and hacking forums since at least June. The data was inexpensive to buy, opening it up to many threat actors for targeted phishing or business email compromise attacks.
Newman acknowledged the need to take responsibility for Dymocks’ third-party providers. “We take our responsibility to protect your contact information extremely seriously and did have a strong range of measures in place. However, this incident highlighted a vulnerability in our external partner’s security measures,” he told customers. “Whether it is us or our partners, the security of your information was our responsibility.”
Newman says the book chain has been liaising with the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre and using independent cybersecurity advisors and forensic experts to investigate the breach.