Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Exclusive: Australian furniture retailer Early Settler confirms data breach

Threat actor claims to have the data of more than one million customers, dataset for sale on hacking forum.

user icon David Hollingworth
Tue, 06 Aug 2024
Exclusive: Australian furniture retailer Early Settler confirms data breach
expand image

Furniture retailer Early Settler has confirmed it is the victim of a data breach exposing the names and contact details for sale on a popular hacking forum.

A forum user named ‘worry’ posted the details of the breach on August 3, claiming to have the details of 1.1 million customers.

“Earlysettler.com.au (esrgroup.com.au) is a big furniture and retail company in Australia,” worry said in a post headed ‘Earlysettler.com.au 1m’.

============
============

“Dumped in July 2024 by me, total users 1.1M. Contains full names, emails, phone, address, dob, etc.”

The threat actor also posted a link to a short list of sample data, which mostly consisted of internal data relating to loyalty rewards, customer reference numbers, and several survey results. However, for each line of data, most of those fields were empty.

While some of the listed emails had been listed in previous data breaches, others were unique to this incident. The data was being offered for US$2,000, and the hacker provided contact details for any prospective buyers.

A spokesperson for Early Settler confirmed the incident.

“Early Settler has become aware that a third party has named our company online alongside claims they have accessed some of our customers’ contact information. We understand this news may cause concern and wish to assure our customers that we are investigating this as a priority, including a review of our security systems as a precautionary measure,” the spokesperson said after being contacted by Cyber Daily.

“From the claims published online, we understand the impacted customer data includes names, phone numbers, email addresses, delivery addresses and dates of birth.

“Importantly, there is no suggestion that any payment details are involved, and we can assure our customers that we do not hold credit/bank card details. “

According to Early Settler, the data was stolen from an archived database that dated back to July 2022, and no customer information after that date was affected. In addition, while some dates of birth are in the dataset, the company confirmed that “it only contains complete dates of birth for a very small number of customers and month of birth for some customers”.

“We apologise for any concern that this news may cause and would like to assure our customers that we have no evidence of any broader impact to our systems or information,” Early Settler said.

The company has said it will be notifying customers shortly and has placed a notice on its website. Early Settler is also contacting the relevant authorities.

“We take cyber security seriously and are committed to keeping all our stakeholders updated as we work to respond to this incident. We are in the process of notifying the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC), and the New Zealand Office of the Privacy Commissioner (OPC) and CERT NZ of the incident,” Early Settler said.

“We would like to assure our customers that we are taking all appropriate steps to remediate this situation as swiftly as possible and have also implemented sophisticated monitoring systems to ensure we are aware of any further developments.”

AUCloud CEO Peter Maloney called the incident a "stark illustration of the evolving cyber threat landscape".

"The breach ... is a stark illustration of the evolving cyber threat landscape. As cyber threats become more sophisticated, it's imperative for businesses to not only protect their current data but also ensure that historical data stored in archives is secure. Many organisations fail to realise that archived data, often considered less risky, can still be a lucrative target for cyber-criminals," Maloney said.


UPDATED 07/08/2024 to add AUCloud commentary.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.