Written by staff writer.
Australia’s biggest chain of bookshops, Dymocks, has revised upwards the number of customers affected by a cyber attack in early September. Late last week, the retailer emailed customers saying an additional 400,000 customers are impacted.
“While our investigation is ongoing, it has been confirmed that 1.24 million customer contact records were stolen and made available on the dark web,” the September 15 email reads. “The information in the contact records is limited to contact information such as name, address, phone, email, membership details, and date of birth.”
A week earlier, when advising of the attack, Dymocks said the number of customers affected was approximately 836,000. Dymocks operates 65 stores around Australia and also has a sizeable online presence. The book chain actively encourages customers to join its rewards program when buying books in physical stores and online. The sign-up process collects information such as email addresses, mobile phone numbers and dates of birth. Dymocks says collecting date of birth information allows them to send a gift or discount voucher on or around the customer’s birthday. The sign-up process does not require information like residential addresses or credit card details.
“We confirm that none of the information published consists of passwords, identification such as driver’s licences or any other highly sensitive information such as transaction information, payment information, or credit card information,” the most recent update says.
An external third party notified Dymocks of the cyber attack on September 6. Troy Hunt, who operates the data breach notification service ‘Have I Been Pwned’ (HIBP). He says Dymock’s data was circulating for several days, including via Telegram channels and a non-dark web forum, before he gave the bookseller the heads up. Hunt says it once again raises questions about why organisations retain customer data they don’t need. However, he does praise Dymocks for moving swiftly once informed.
“We immediately launched an internal investigation with the assistance of our cybersecurity advisers and independent forensic experts, who have now confirmed that our customer records are available on the dark web,” the Dymocks’ attack advisory says. They say they don’t believe their systems were compromised, but a third-party partner’s systems were subject to unauthorised access. “We are working with the identified partner to focus on understanding if and how their systems were accessed despite their security measures. To date, we do not have any evidence of any access to our systems, and we are working hard to rule this out.”
Responding to the breach, cybersecurity advisories say that while the hackers stole no highly sensitive data such as driver’s licences or credit card details, data such as email addresses and mobile phone numbers is useful when compiling details on a potential identity theft target. Date of birth information is particularly valuable information. The advisories say given the data was released online at little or no cost, phishing campaigns targeting Dymocks’ customers are a likely outcome, and they warn customers to be alert.
“We are very sorry this has happened, and the focus of our investigations is to understand how this has occurred,” says the Dymocks statement. “We also take our legal obligations seriously and follow appropriate reporting guidelines and applicable laws. We are engaging with the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.” The bookseller says customers should change their passwords for online accounts and be alert for any phishing scams that may come by phone, post or email.