Australian book retailer Dymocks has joined the growing list of major organisations grappling with the unsettling reality of a data breach.
Initially flagged by Australian cybersecurity consultant Troy Hunt, creator of the Have I Been Pwned data breach website, the organisation notified the public on 6 September. Since then, Dymocks has revealed that the breach impacts 1.24 million customer records and has traced it to a third-party provider.
It’s yet another reminder that every organisation’s security posture is closely intertwined with other organisations’. Let’s dive into what happened.
With stores spread across Australia, New Zealand and Hong Kong, Dymocks is a large retailer and a data-rich target. After a threat actor released some of the company’s customer data on a dark-web hacking forum, Hunt notified Dymocks in early September. That same day, Dymocks posted a comprehensive customer notice detailing the incident, which it continues to update as of this article’s publication.
But the stolen information may have been circulating long before the company was aware of the breach. According to Hunt, the customer data had already been shared in Telegram channels and hacking forums since at least June 2023.
In its customer notice, Dymocks has confirmed that the stolen data spans a varying range of information:
Dymocks has stressed that credit card information and passwords were not part of the stolen trove of data.
However, as we’ve explored in several discussions (example: this webinar), fraudsters and scammers can use small bits of personal information to cobble together larger views of a target. This aids them in a variety of unsavoury tasks and social engineering scams, making it easier to infiltrate systems and dupe targets into making fraudulent payments or revealing sensitive information.
Aside from the potential for scams, it’s bad enough to contemplate your private information sitting on the dark web at all – a reality that Dymocks leadership has addressed candidly. Chief Executive Officer, Mark Newman, has apologised to customers and promised further updates as forensic investigations unfold.
“As an Australian-owned family company that has a successful legacy of serving Australian customers for 144 years, I cannot begin to express how devastated the team and I feel about this incident.
“We apologise unreservedly that the compromise has occurred, and we’re committed to looking for ways to further strengthen the measures that we and our partners take to keep your information safe.”
Dymocks has reiterated that investigations are still ongoing but did trace the breach to an “external data partner,” aligning with earlier company claims that its own systems had not been compromised.
Unfortunately, even the most impenetrable cybersecurity defences cannot guarantee that external partners share the same security standards or practices. Likewise, even the strongest financial controls can’t always protect your company if a cyber-criminal manages to infiltrate the systems of a supplier or other trusted partner, underscoring the interconnected nature of an organisation’s security posture.
Newman has advised customers to expect a final update once investigations are complete.
Amidst this turmoil, Dymocks has urged its customer base to remain vigilant. Customers have been asked to be on high alert for phishing or scam attempts that could leverage the stolen data.
Though the information was circulating much earlier, the September forum post promised other users access to the data trove for only a few dollars. Because of the wide availability of the data, it’s possible that a larger number of low-level or rogue scammers may attempt to use the information for targeted phishing or business email compromise (BEC) attacks.
Dymocks has also encouraged customers to update their passwords, update anti-virus software and patch any outdated software. For businesses and finance teams, though, there are additional precautions that can help lower your organisation’s risk of falling victim to a scam fuelled by stolen data.
One of the most important steps is reevaluating your financial controls. Even if organisations have a robust control framework in place, scammers are finding increasingly sneaky ways to sidestep these defences and manipulate AP staff into making fraudulent payments.
Along with staff training and greater awareness, finance leaders can beef up their defences by assessing, testing and adjusting their anti-fraud processes and controls.
Everything you need to know about the ClubsNSW data breach and how to protect yourself, your loved ones and your business.
How can you minimise insider threats without compromising culture? Find out 5 ways to do exactly that.
Crypto scams refer to any fraudulent practice in the cryptocurrency space aimed at tricking individuals into investing or giving away assets or …
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
