Australia furniture retailer Early Settler has confirmed it was the victim of a data breach that exposed customer names, email addresses, phone numbers, delivery addresses, and, in some cases, dates of birth.
“Early Settler has become aware that a third party has named our company online alongside claims they have accessed some of our customers’ contact information,” the company said via a statement this week.
There are claims 1.1 million customers had their data taken. The data includes data from an archived database dating back to July 2022. However, payment information was not taken. “We do not hold credit/bank card details,” the retailer said.
The threat actor, identified as ‘Worry’, posted the breach details on a hacking forum, offering the data for sale for USD2,000. A sample of the data showed mostly empty fields, though some emails were unique to this breach.
“The reported breach is a stark illustration of the evolving cyber threat landscape,” said AUCyber CEO Peter Maloney. “As cyber threats become more sophisticated, it’s imperative for businesses to not only protect their current data but also ensure that historical data stored in archives is secure. Many organisations fail to realise that archived data, often considered less risky, can still be a lucrative target for cybercriminals.”
“The fact that the data was offered for sale on a hacking forum emphasises the commercial nature of cybercrime today,” he added. “This incident reflects a broader trend where stolen data is commoditised and traded in underground markets. Organisations must not only enhance their defensive measures but also be vigilant about monitoring and responding to emerging threats. The focus should be on building resilient systems that can quickly adapt to new attack vectors and mitigate potential damage.”
Early Settler says it is investigating the breach as a priority, reviewing its security systems, and notifying affected customers. The company has also informed relevant authorities, including the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.