This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Big W

Summary

Big W, the discount department store chain owned by Woolworths Group, experienced a data exposure incident in January 2019 when customer information was leaked during a printer repair mishap. The unusual breach demonstrated how physical equipment maintenance can create unexpected privacy risks when devices contain stored data or cached information.

What Happened

Physical Theft. Customer data was exposed when a printer used in Big W stores was sent for repair or disposal without properly clearing its internal memory. Modern multifunction printers and copiers often store copies of documents they've printed or scanned on internal hard drives or memory caches. In this case, customer information—likely from in-store transactions, returns, or online order pickups—remained on the printer when it left Big W's control. The data may have been accessible to repair technicians or others who handled the equipment. This type of breach highlights an often-overlooked security risk: office equipment can retain sensitive information even after documents are printed.

Impact on Individuals

  • Contact Information: Customer names, addresses, phone numbers, and email details potentially exposed
  • Transaction Details: Information about purchases or returns possibly accessible
  • Limited Scope: Small number of customers affected compared to major cyber breaches
  • Unexpected Vector: Customers unlikely to anticipate printers as a data security risk

While the breach affected a relatively small number of customers and involved basic contact information, it nonetheless represented a privacy failure.

Response

Big W immediately investigated the incident and secured the affected printer equipment. The retailer notified customers whose information may have been exposed and reported the incident to appropriate authorities. Big W reviewed its procedures for handling office equipment, particularly devices being sent for repair or disposal, and implemented enhanced protocols for wiping data from printers, copiers, and other devices with internal memory. The incident prompted the wider retail industry to examine its practices around equipment disposal and the often-overlooked security risks posed by multifunction devices. Big W implemented mandatory data-clearing procedures before any equipment leaves store premises. +++

Verification Source: View original statement