Share this article on:
Australian bookseller Dymocks has begun notifying its customers of a data breach that could affect some personal information.
According to a “customer notice” on the store’s website, a “concerned third party” informed Dymocks of “unusual activity”. Dymocks became aware of this on 6 September and immediately began an investigation.
“We immediately launched an internal investigation with the assistance of our cyber security advisers,” Dymocks said in the notice, “who found evidence of discussions regarding our customer records being available on the dark web”.
The ABC is reporting that Dymocks has sent an email to its customers warning of a possible breach affecting contact details, addresses, and emails, but the incident report itself is effectively hidden away under customer notices, which can only be found on Dymocks’ website’s footer.
Dymocks is currently working to understand what data may have been affected, but according to the updated customer notice, “initial scans of our systems show no sign of penetration, and we are working with our third-party partners to understand whether the breach could have occurred in their systems”.
“At this stage, it is unclear which customers may be impacted,” it said.
However, Cyber Security Connect has been able to find an individual claiming to be selling the data on a popular clear web data leaks forum. The user seems to have 1.2 million sets of data, including names, addresses, email addresses, phone numbers, dates of birth, and Dymocks membership card details.
The person selling the information has provided some sample sets of the data, and other forum users have confirmed it appears to be legitimate.
“For what it’s worth,” one user has posted, “I can verify by correlating with other Australian breaches that at least two of the sample entries look legit because the data matches known good older beaches (Medicare I think).”
The breached data was offered for sale on 3 September, and the current asking price to unlock it is about €3.75, or just over $6 – anyone with enough site credits can unlock the data to use as they wish. The information is in a single .csv file, suggesting that it is from a single database.
“We apologise for any inconvenience or concern this situation causes customers,” Dymocks said in its customer notice. “We are committed to providing updates as our investigation progresses. All necessary steps will be taken to safeguard customer data.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.