David Jones suffers data breach with customer information compromised

October 2, 2015 |

Following hot on the heels of Kmart announcing a data breach David Jones has started notifying customers today that there has been a large scale data breach of its website.  Itnews covers the story in David Jones website hacked, customer data stolen & the Age in David Jones says third party accessed ‘limited’ customer information. The PM program covered the story in Department store David Jones says customer details stolen in data breach with the transcript provides:

PETER LLOYD: The personal and private details of customers of retailer David Jones are in the hands of criminals who hacked the company’s computer system. But DJs insists no credit card information or passwords were stolen.

It’s also happened recently to K-Mart and the privacy commissioner says there has been a huge jump in reports of computer hacking to steal data over the last year.

Will Ockenden reports.

WILL OCKENDEN: It’s been a tough week for a couple of Australia’s largest retailers. Yesterday, Kmart admitted it had suffered from a privacy breach, where customer data had been stolen by people who had illegally accessed its computer systems.

Today, fashion department store David Jones revealed it too had been hacked.

ALLIE COYNE: David Jones today revealed that an attacker had managed to get into its website.

WILL OCKENDEN: Allie Coyne is a journalist for IT News.

ALLIE COYNE: We don’t know when but David Jones became aware of the breach last Friday and that attacker managed to get the customer names, e-mail addresses, order details and mailing addresses of people who had bought products off the David Jones website.

WILL OCKENDEN: In an email to affected customers this morning, seen by PM, David Jones said it had recently learned that a third party had exploited a vulnerability in its website. The department store wrote that the attackers had extracted limited information about some of its customer.

While names, email address and addresses were stolen, David Jones assured customers that no credit card or financial information was taken.

Allie Coyne again.

ALLIE COYNE: Luckily David Jones uses a payments gateway to process those details so it means it doesn’t actually store any credit card details or those sorts of information on its own servers.

WILL OCKENDEN: David Jones declined PM’s request for an interview, and the company hasn’t revealed the scale of the attack. As such, there’s no way to know how many people may be affected by this data breach. But in a media release, the company said that it had been working with its website technology provider IBM to fix the website issues.

Allie Coyne says the IBM reference is interesting.

ALLIE COYNE: Retailer K-Mart had a similar issue this week in which its own website also had customer details stolen by an external attacker. It uses the same platform that David Jones uses for its website, which is an IBM product. Now having said that, there’s no detail on how the attacker managed to get in but there is the possibility that that had something to do with it.

WILL OCKENDEN: So what’s the possibility that the K-Mart breach and the DJ’s breach are linked, given that they are using the same software platform?

ALLIE COYNE: We have seen instances in the past where attackers have identified some vulnerable software on companies and exploited that and then attempted to find other companies using similarly vulnerable software and gain entry into their systems that way so there is a possibility that was a factor in these two data breaches.

WILL OCKENDEN: As data breach notifications go, David Jones’ response has been to act quickly and to inform customers, perhaps aware that computer hackers often use personal information obtained in attacks like this to try and target the affected customers in later attacks, the department store has warned its customers not to provide financial information or credit card details over the phone or email.

ALLIE COYNE: Notification is key here and while financial details may not have been compromised, there’s still a lot of damage that can be done with, you know, you might think it’s a simple customer name or a customer e-mail address but putting all this sort of information together can be quite damaging.

So absolutely people need to be informed in these sorts of situations and the Government at the moment has promised to introduced legislation which would mandate that companies like David Jones inform their customers and the privacy commissioner in the case of such a breach.

WILL OCKENDEN: David Jones has informed Australia’s privacy commissioner of the breach.

The Office of the Australian Information Commissioner says it will wait for more information from David Jones before it decides if it will launch its own investigation.

PETER LLOYD: Will Ockenden reporting.

The reputational damage to such a breach can be enormous and more than justifies preventative spending in making sure the chance of a security breach is minimised.  It will be interesting to see how the Privacy Commissioner responds to this high profile breach. The Privacy Commissioner is good at the media side of things.  The enforcement role is a horse of an entirely different colour unfortunately.  The general approach has been timid and anaemic which does little to improve the culture of compliance with the Privacy Act, which remains poor.

Meanwhile in the US there has been another hack of breathtaking proportions with Experian being attacked and the records of 15 million customers being compromised as reported by the Guardian in Experian hack exposes 15 million people’s personal information.  Given Experian is a data broker and the information was of names, social security numbers, passport details the potential for identity theft and use of this information for other data breaches is high.

Even though Kmart and David Jones have focused on the limited scope of the breach it is a matter of huge impact to business.  In a report by Allianz titled A guide to cyber risk the estimated cost of such data breaches to the global economy is $445 billion annually.  Itgovernance covers the report in  Cyber crime costs the global economy $445 billion a year.

Major data breaches by criminals seeking personal information for retailers is not a US phenomena. Although the general level of preparedness is such that one might think so. A situation not improved by weak enforcement by the primary regulator, the Privacy Commissioner.

Interestingly the OECD has released its updated Recommendation on Digital Security Risk Management.  It is a very valuable addition to the literature and one that clearly identifies the issue with digital security, that a digital security risk is really an economic risk.  The media release, CEOs and governments should treat digital security as an economic risk,  provides:

Digital security risk should be treated as an economic rather than a technical issue, and should be part of an organisation’s overall risk management and decision-making, according to a new OECD Recommendation to member countries.

 A global, interconnected, open and dynamic digital environment brings considerable business and economic opportunities – and holds even more promise as the Internet of Things and Big Data become pervasive. But countries and businesses are increasingly exposed to digital security threats that are growing in both number and sophistication.  

 The OECD Recommendation on Digital Security Risk Management says that leaders and CEOs in the public and private sectors should take specific responsibility for the issue and integrate it into overall planning, rather than treating it solely as a technology matter.

 “Digital risk cannot be eliminated, and a totally secure digital environment is impossible if you want to reap the economic potential it opens up,” said OECD Science, Technology and Innovation Director Andrew Wyckoff. “But digital risk can be managed effectively. The leaders of an organisation are best-placed to steer the cultural and organisational changes needed to reduce this risk to an acceptable level.”

 The OECD, whose last Recommendation on digital security was in 2002, offers eight principles to guide digital security risk management, including on the responsibility of different actors, co-operation between stakeholders and the role of innovation. It recommends that countries adopt national plans to identify measures to prevent, detect, respond to and recover from digital security incidents.

The report is found here.

One Response to “David Jones suffers data breach with customer information compromised”

  1. David Jones suffers data breach with customer information compromised | Australian Law Blogs

    […] David Jones suffers data breach with customer information compromised […]

Leave a Reply