Cyber crime

Dissecting the Dymocks data breach

Shanna Hall
4 Min

Australian book retailer Dymocks has joined the growing list of major organisations grappling with the unsettling reality of a data breach. 

Initially flagged by Australian cybersecurity consultant Troy Hunt, creator of the Have I Been Pwned data breach website, the organisation notified the public on 6 September. Since then, Dymocks has revealed that the breach impacts 1.24 million customer records and has traced it to a third-party provider. 

It’s yet another reminder that every organisation’s security posture is closely intertwined with other organisations’. Let’s dive into what happened.

What information was stolen, and when?

With stores spread across Australia, New Zealand and Hong Kong, Dymocks is a large retailer and a data-rich target. After a threat actor released some of the company’s customer data on a dark-web hacking forum, Hunt notified Dymocks in early September. That same day, Dymocks posted a comprehensive customer notice detailing the incident, which it continues to update as of this article’s publication.

But the stolen information may have been circulating long before the company was aware of the breach. According to Hunt, the customer data had already been shared in Telegram channels and hacking forums since at least June 2023.

In its customer notice, Dymocks has confirmed that the stolen data spans a varying range of information:

  • name
  • date of birth
  • email address
  • phone number
  • postal address
  • gender
  • loyalty program membership details

How might fraudsters capitalise on the Dymocks breach?

Dymocks has stressed that credit card information and passwords were not part of the stolen trove of data.

However, as we’ve explored in several discussions (example: this webinar), fraudsters and scammers can use small bits of personal information to cobble together larger views of a target. This aids them in a variety of unsavoury tasks and social engineering scams, making it easier to infiltrate systems and dupe targets into making fraudulent payments or revealing sensitive information.

Aside from the potential for scams, it’s bad enough to contemplate your private information sitting on the dark web at all – a reality that Dymocks leadership has addressed candidly. Chief Executive Officer, Mark Newman, has apologised to customers and promised further updates as forensic investigations unfold.

“As an Australian-owned family company that has a successful legacy of serving Australian customers for 144 years, I cannot begin to express how devastated the team and I feel about this incident.

“We apologise unreservedly that the compromise has occurred, and we’re committed to looking for ways to further strengthen the measures that we and our partners take to keep your information safe.”

How did the breach happen?

Dymocks has reiterated that investigations are still ongoing but did trace the breach to an “external data partner,” aligning with earlier company claims that its own systems had not been compromised.

Unfortunately, even the most impenetrable cybersecurity defences cannot guarantee that external partners share the same security standards or practices. Likewise, even the strongest financial controls can’t always protect your company if a cyber-criminal manages to infiltrate the systems of a supplier or other trusted partner, underscoring the interconnected nature of an organisation’s security posture.

Newman has advised customers to expect a final update once investigations are complete.

A call to stay alert

Amidst this turmoil, Dymocks has urged its customer base to remain vigilant. Customers have been asked to be on high alert for phishing or scam attempts that could leverage the stolen data.

Though the information was circulating much earlier, the September forum post promised other users access to the data trove for only a few dollars. Because of the wide availability of the data, it’s possible that a larger number of low-level or rogue scammers may attempt to use the information for targeted phishing or business email compromise (BEC) attacks.

Dymocks has also encouraged customers to update their passwords, update anti-virus software and patch any outdated software. For businesses and finance teams, though, there are additional precautions that can help lower your organisation’s risk of falling victim to a scam fuelled by stolen data.

One of the most important steps is reevaluating your financial controls. Even if organisations have a robust control framework in place, scammers are finding increasingly sneaky ways to sidestep these defences and manipulate AP staff into making fraudulent payments.

Along with staff training and greater awareness, finance leaders can beef up their defences by assessing, testing and adjusting their anti-fraud processes and controls.

Protective financial controls
Strengthen your anti-fraud defences with smarter controls
Don’t let cyber-criminals and scammers outmanoeuvre you. Get our free guide for evaluating and upgrading the internal controls that keep your finances safe.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.