Australian book retailer Dymocks has joined the growing list of major organizations grappling with the unsettling reality of a data breach.
Initially flagged by Australian cybersecurity consultant Troy Hunt, creator of the Have I Been Pwned data breach website, the organization notified the public on 6 September. Since then, Dymocks has revealed that the breach impacts 1.24 million customer records and has traced it to a third-party provider.
It’s yet another reminder that every organization’s security posture is closely intertwined with other organizations'. Let's dive into what happened.
With stores spread across Australia, New Zealand, and Hong Kong, Dymocks is a large retailer and a data-rich target. After a threat actor released some of the company’s customer data on a dark-web hacking forum, Hunt notified Dymocks in early September. That same day, Dymocks posted a comprehensive customer notice detailing the incident, which it continues to update as of this article’s publication.
But the stolen information may have been circulating long before the company was aware of the breach. According to Hunt, the customer data had already been shared in Telegram channels and hacking forums since at least June 2023.
In its customer notice, Dymocks has confirmed that the stolen data spans a varying range of information:
How might fraudsters capitalize on the Dymocks breach?
Dymocks has stressed that credit card information and passwords were not part of the stolen trove of data.
However, as we’ve explored in several discussions (example: this webinar), fraudsters and scammers can use small bits of personal information to cobble together larger views of a target. This aids them in a variety of unsavoury tasks and social engineering scams, making it easier to infiltrate systems and dupe targets into making fraudulent payments or revealing sensitive information.
Aside from the potential for scams, it’s bad enough to contemplate your private information sitting on the dark web at all – a reality that Dymocks leadership has addressed candidly. Chief Executive Officer, Mark Newman, has apologized to customers and promised further updates as forensic investigations unfold.
“As an Australian-owned family company that has a successful legacy of serving Australian customers for 144 years, I cannot begin to express how devastated the team and I feel about this incident.
“We apologize unreservedly that the compromise has occurred, and we’re committed to looking for ways to further strengthen the measures that we and our partners take to keep your information safe.”
How did the breach happen?
Dymocks has reiterated that investigations are still ongoing but did trace the breach to an “external data partner,” aligning with earlier company claims that its own systems had not been compromised.
Unfortunately, even the most impenetrable cybersecurity defenses cannot guarantee that external partners share the same security standards or practices. Likewise, even the strongest financial controls can’t always protect your company if a cybercriminal manages to infiltrate the systems of a supplier or other trusted partner, underscoring the interconnected nature of an organization’s security posture.
Newman has advised customers to expect a final update once investigations are complete.
A call to stay alert
Amidst this turmoil, Dymocks has urged its customer base to remain vigilant. Customers have been asked to be on high alert for phishing or scam attempts that could leverage the stolen data.
Though the information was circulating much earlier, the September forum post promised other users access to the data trove for only a few dollars. Because of the wide availability of the data, it’s possible that a larger number of low-level or rogue scammers may attempt to use the information for targeted phishing or business email compromise (BEC) attacks.
Dymocks has also encouraged customers to update their passwords, update anti-virus software, and patch any outdated software. For businesses and finance teams, though, there are additional precautions that can help lower your organization’s risk of falling victim to a scam fueled by stolen data.
One of the most important steps is reevaluating your financial controls. Even if organizations have a robust control framework in place, scammers are finding increasingly sneaky ways to sidestep these defenses and manipulate AP staff into making fraudulent payments.
Along with staff training and greater awareness, finance leaders can beef up their defenses by assessing, testing, and adjusting their anti-fraud processes and controls.
