Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Dymocks pins data breach on third-party ‘partner’

Dymocks has released an update on its 6 September data breach, pointing to “unauthorised access” to the systems of one of its third-party partners.

user icon David Hollingworth
Mon, 18 Sep 2023
Dymocks pins data breach on third-party ‘partner’
expand image

The Australian bookseller is still investigating the incident with the help of its own “cyber security advisers” and external experts.

The company has confirmed the leak of 1.24 million customer records, saying it has “now confirmed that our customer records are available on the dark web”.

“Although our investigations are ongoing, we do believe that one of our third-party partner’s systems [was] subject to unauthorised access,” Dymocks said in an update to their customer notice on the incident late last week.

============
============

“Whilst we continue to keep all avenues open, we are working with the identified partner to focus on understanding if and how their systems were accessed despite their security measures.”

Dymocks is now working with all of its third-party suppliers to understand if any further access to customer data has occurred.

“As we value being open and transparent with our customers, we let all our customers know about the incident on 8 September 2023 about the kinds of information involved and the steps they should take to protect themselves. We provided a further update on 15 September 2023 to confirm that our customer records had been published on the dark web,” Dymocks said.

The affected data included names, postal and email addresses, gender, and Booklovers membership details.

Although Dymocks said the data is available on the dark web, at the time of reporting last week, one hacker was claiming to have 1.2 million sets of data, apparently from Dymocks and was selling it on a popular clear web hacking forum.

The person selling the information provided some sample sets of the data on 3 September, and other forum users have confirmed it appeared to be legitimate.

“For what it’s worth,” one user has posted, “I can verify by correlating with other Australian breaches that at least two of the sample entries look legit because the data matches known good older beaches (Medicare I think)”.

However, a second member on the same forum also claims to be selling 1.2 million lines of data from the breach. They have posted a small sample, which seems to include the same details – including Booklovers membership – as the original post. This second post was made today, Monday, 18 September.

The current asking price for both datasets is about €3.75, or just over $6 – anyone with enough site credits can unlock the data to use as they wish.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.