David Jones

Summary

David Jones' online shopping website was hacked, with attackers accessing customer names, email addresses, order details and mailing addresses. The breach occurred just days after Kmart Australia revealed a similar incident, both affecting major Australian retailers in October 2015.

What Happened

David Jones discovered the website breach on 25 September 2015, learning that attackers had exploited a vulnerability in its WebSphere-based ecommerce platform. The hackers gained unauthorised access to customer information associated with online orders, including personal details and purchase history.

The stolen data included customer names, email addresses, order details and mailing addresses. No credit card details or passwords were compromised, as David Jones does not store any credit card information or financial data on its website. Payment processing is handled separately through secure third-party systems.

Impact on Individuals

Affected online customers faced potential risks including:

• Phishing attacks: Email addresses could be used to send fraudulent messages appearing to be from David Jones
• Targeted scams: Order history and personal details could enable more convincing fraud attempts
• Privacy concerns: Shopping preferences and delivery addresses were exposed
• Spam: Contact details could be added to marketing databases or sold to third parties

Customers were advised to be cautious of unsolicited emails and to verify communications claiming to be from David Jones.

Organisational Response

David Jones reported the breach to the Office of the Australian Information Commissioner and the Australian Federal Police immediately upon discovery. All affected customers were notified by email about the incident. The company worked to secure the vulnerability in its website and engaged forensic investigators to understand how the breach occurred and prevent future incidents.