Dymocks suffers data breach, data placed on the dark web

September 11, 2023 |

 

Dymocks became aware of a data breach on 6 September 2023. It became aware via someone telling it that customer data had been put on the dark web.  Dymocks notified customers on 8 September 2023. That is quite a quick notification which was more inspired by stolen customers data being posted on the dark web more than best practice. Dymocks notification on its website is quite good, brilliant by the dismal standards usually displayed by Australian companies. The content of the notice makes it clear that Dymock’s is a long way from completing its damage assessment.  It put out the Notice to get ahead of the story.  That is generally a good idea.  To see how bad things can get when an affected organisation doesn’t advise its customers look at the way Optus and Medibank handled their respective data breaches. 

Dymocks doesn’t know much data has been exfiltrated (but it is reported elsewhere that up to 836,000 unique email addresses were stolen), it doesn’t know when the breach occurred, it doesn’t know what data was taken but suggests it is probably personal information but is definitely not financial information.  That Dymocks discovered the data breach from a party finding customer data on the dark web highlights a weakness in its data security.  It is passe to merely rely on a perimeter defence and have no other means of monitoring hostile activity within the site.  Organisations should use programs to test their cyber defences, such as Nessus and Metasploit.   Perimeter defences get breached, often by use of purloined authentications, as was the case with HWL Ebsworth.  Threat intelligence tools should be part of any organisation that collects and uses significant amounts of personal information.  Companies should be using intrusion detection systems such as SolarWinds Event Manager, to name one of many.    
The notice provides:

We recently became aware of a data breach of customer information. We have a strong commitment to customer privacy and data security and while the magnitude of the breach has not been confirmed or determined at this stage, we are taking immediate action to investigate the incident and protect customers information.

Below is a summary of what we know, what we’re doing, and how we’ll continue to communicate further updates.

We apologise for any inconvenience or concern this situation causes customers. We are committed to providing updates as our investigation progresses. All necessary steps will be taken to safeguard customer data.

How we will communicate

Customers will be notified via email as we know more. We will also update this webpage with the latest updates.

Frequently Asked Questions (FAQs) – Customer data breach

1. What happened?

On 6 September 2023, we became aware that an unauthorised party may have access to our customer records (Incident).

As soon as we became aware of the Incident, we, together with our cybersecurity advisers, promptly launched an investigation to assess what happened.

While our investigation is ongoing and at the early stages, our cybersecurity experts have found evidence of discussions regarding our customer records being available on the dark web.

2. How (where) was this unusual activity detected?

The unusual activity was discovered by a concerned third party who informed us. We immediately launched an internal investigation with the assistance of our cybersecurity advisers, who found evidence of discussions regarding our customer records being available on the dark web.

3. Has a malicious third party accessed Dymocks’ systems?

This is part of our investigation and we are working hard to understand if there has been any unauthorised access to our systems or any third parties who have processed customer data on our behalf. At the moment initial scans of our systems show no sign of penetration and we are working with our third party partners to understand whether the breach could have occurred in their systems.

4. How long did the access last?

We don’t know if there has been any access to our systems and we are currently investigating this.

5. How many people have been impacted?

At this stage, it is unclear which customers may be impacted.

It is part of our investigation, and we are working hard to understand how many people have been impacted. As we value being open and transparent with our customers, we have let all our customers know about the Incident.

We are committed to being transparent about what we know and how it impacts you. We will keep you updated during the investigation and our assessment, as we receive more information.

6. What information has been involved?

At this stage, we don’t know which specific customers have been impacted by the Incident and we are working hard to understand this.

While our investigation is ongoing, the kinds of information impacted vary from person to person (depending on what they have provided us with) and may include:

    • name;
    • date of birth;
    • email address;
    • postal address;
    • gender; and
    • membership details for Booklovers such as your gold expiry date, account status, member created date and card ranking.

Importantly, as we never hold or store customer financial information this information would not be in the customer record.

7. What has Dymocks done to date?

    • Our investigation is underway. We understand the importance that you place on keeping your personal information safe and secure. We know protecting your information is a great responsibility and is front and centre in our response to the current situation.
    • We took immediate containment steps, including to secure our system.
    • We are offering support to individuals we know have been impacted by the incident and if you have any questions you can contact our customer support team on:
      • 1800 849 096 between 9am and 5pm AEST; and
      • help@dymocks.com.au
    • We also take our legal obligations seriously and we are following appropriate reporting guidelines and applicable laws. We will notify relevant authorities as required.
    • We are committed to being transparent about what we know and how it impacts you. We will keep you updated during the investigation and our assessment (if required).
    • We are following regulatory guidance in responding to the Incident.

8. What should I do if I think my data has been compromised?

Given the information may be on the dark web and this can be used by cyber criminals to commit fraud and other scams, we recommend you consider taking the following precautionary steps to protect yourself:

    1. Change your passwords for your online accounts including for your Booklovers account, social media and other online accounts (and otherwise ensure that you have sufficiently complex passwords);
    2. Be alert for any phishing scams that may come to you by phone, post or email. These are emails pretending to be from a reputable company but are not actually sent by that company;
    3. Ensure that you have up-to-date anti-virus software and any recommended software patches installed on your computer systems;
    4. Visit Scamwatch (at https://www.scamwatch.gov.au/) to keep up with current scam trends; and
    5. Read further information about staying safe online at:
    6. the Office of the Australian Information Commissioner’s website at https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/data-breach-support-and-resources; and
    7. the Australian Cyber Security Centre’s website at https://www.cyber.gov.au/threats/types-threats/scams.

9. Have you proactively notified the OAIC or law enforcement bodies?

We are following all appropriate reporting requirements. We are currently assessing the incident and will notify the OAIC and any other enforcement bodies if required.

10. Are cyber criminals involved?

As we are at the stages of our investigation, we are unable to confirm this. However, given we have found evidence of discussions regarding our customer records being available on the dark web, it is possible that cyber criminals are involved.

11. Were my credit card details exposed?

No. We never hold or store customer financial information (including credit card details) and this information would not be in the customer records the unauthorised party may have access to.

12. Has my password for my Booklovers account been compromised?

While our investigation is ongoing, based on information to date it does not appear that any Booklovers passwords have been compromised.

With that said, given the information may be on the dark web and this can be used by cyber criminals to commit fraud and other scams, we recommend you consider, as a precautionary step, changing your passwords for your online accounts including for your Booklovers account, social media and other online accounts (and otherwise ensure that you have sufficiently complex passwords).

13. Can I keep shopping with you?

Yes. We recommend you change your Booklovers password but our systems are operational and you can continue to make purchases with us.

14. Who should I contact if I have any questions or concerns?

If you have further questions or concerns, it is best to direct them to our customer support team on:

    • 1800 849 096 between 9am and 5pm AEST; and
    • help@dymocks.com.au

Needless to say the has been considerable coverage, with ItNews Dymocks discloses breach after dark web data leak, ABC News Dymocks warns customers of data breach after account information leaked on dark web and the Guardian’s Dymocks warns customer records may be on dark web after possible data breach.

 

Leave a Reply