Share this article on:
Bunnings Warehouse customers who shopped using the contactless pick-up service may have had some of their personal information stolen.
The company has emailed customers to say they have recently been made aware of a data security breach experienced by its third-party booking provider FlexBooker.
In December of 2021, the third-party software firm suffered a cyber security breach that led to the information of 3.7 million customers being exposed, and last week Bunnings was forced to warn its customers of the incident.
The compromised information may have included customers' names and email addresses, which were provided when they selected a timeslot for a drive and collect order.
Although Bunnings is adamant that no sensitive information was lost in the attack, incidents like these can lead to significant reputational damage.
Known as "Supply Chain Attacks", malicious actors go after third-party vendors such as FlexBooker to infiltrate their large partner organisations like Bunnings, who are the main target, according to Ajay Unni, cyber security expert and founder of StickmanCyber.
"Lately, there has been a steady increase in these types of attacks as it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.
"Many companies including Bunnings rely on vendors like FlexBooker for a variety of services and given the value of these third-party providers, simply avoiding these partnerships to remove the risk of a cyber attack is not a solution," Unni said.
To reduce their third-party risk significantly, Unni suggests organisations need to recognise and understand third-party risks in order to defend against potential breaches.
"Firstly, businesses should acknowledge the existence of third-party risk and work on understanding their exposure – defining their tolerance to risk goes a long way in combating supply chain attacks."
"Secondly, ensure the vendors and key stakeholders you work with understand your supply chain process and that third-party risk processes are established.
"Thirdly, when your organisation identifies possible vendors to partner with, ensure that cyber security is covered in the contract," Unni said.
It is important that a process is in place to continually assess and monitor risk, once an organisation partners with a vendor.
"For example, utilising vendor risk assessment questionnaires can help you make sure that a vendor’s internal data handling practises and procedures are secure and can help you identify any possible risks.
"Understanding where your most critical assets are and who has access to them is a vital component of any cyber security strategy," Unni said.
With all these measures in place, Unni added that due to the increase in sophistication of hackers, it is important to be always prepared for a cyber attack and have an incident response plan in place to mitigate the impact a security incident can have on your organisation.
Bunnings and FlexBooker is another unfortunate addition to the rapidly growing list of victims of cyber attacks in Australia and globally.
"It is important that organisations, large or small, prioritise the uplift of all facets of their cyber security policies as well as ensuring their vendors do the same.
"Adopting a proactive approach rather than a reactive one when it comes to fighting back against supply chain attacks and cyber crime is the best way to protect your business from becoming the next cautionary tale," Unni concluded.
[Related: Honeywell bolsters cyber security portfolio]