Dymocks, one of Australia’s largest bookstore chains, suffered a data breach that potentially exposed the personal information of approximately 1.2 million customers to hackers operating on the dark web. The breach was identified on September 6, 2023, and the company promptly notified its customers via email on September 8, 2023.
The compromised data encompasses customer names, dates of birth, email and postal addresses, genders, and membership details. However, Dymocks assured that no financial information was compromised.
Upon discovering the breach, Dymocks initiated an investigation in collaboration with its cybersecurity advisors. They uncovered evidence of discussions regarding the availability of customer records on the dark web, a part of the internet inaccessible through conventional browsers, often utilized for illicit activities.
The company remains uncertain about the extent of the impact, the specific customers affected, or the method by which the breach transpired. Dymocks is actively cooperating with its third-party partners to determine if the breach may have occurred within their systems.
In response to the incident, Dymocks has advised its customers to exercise caution. They are encouraged to change their passwords for all online accounts, including Dymocks and social media accounts, and to monitor their bank accounts for any unauthorized transactions. Customers are also urged to stay vigilant for potential phishing scams via phone, mail, or email.
Dymocks has emphasized its commitment to the security of customer personal information and its dedication to transparency regarding the incident. The company pledges to continue its thorough investigation in accordance with applicable laws.
Customers with questions about the breach can reach out to Dymocks at 1800 849 096 between 9 am and 5 pm AEST or via email at help@mydymocks.com.au.
The Dymocks data breach serves as a recent example of how cyberattacks can jeopardize the personal information of millions, potentially leading to identity theft, fraud, and other malicious activities. It also raises concerns regarding the necessity for a bookstore to retain sensitive data like dates of birth and genders, as well as the adequacy of security measures in place to safeguard such information.
Renowned cybersecurity expert and creator of the ‘Have I Been Pwned’ service, Troy Hunt, disclosed the breach to Dymocks after encountering customer data shared on Telegram channels. Hunt noted that the most recent account creation date in the data was June 20, 2023, indicating that the breach might have occurred several months earlier, unbeknownst to Dymocks.
Hunt further highlighted that approximately a quarter of the 1.2 million records in the Dymocks dataset were labeled as ‘inactive,’ suggesting deficiencies in Dymocks’ data retention policy or practices.
While acknowledging Dymocks’ swift response, Hunt questioned the necessity for a bookstore to store customers’ birthdates and genders. He proposed that Dymocks could have minimized data collection by storing only the birth year or age group in five-year intervals during sign-up.
Hunt recommended that customers employ unique passwords for different online accounts and enable two-factor authentication whenever possible to bolster their online security.
The Dymocks data breach serves as a reminder that no entity is immune to cyberattacks, underscoring the importance of safeguarding personal information and advocating for responsible data collection and security practices by companies.
