This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Dymocks

Summary

Dymocks, a major Australian bookstore chain, was informed of a data breach on 6 September 2023 after 1.24 million customer records appeared on hacking forums and the dark web. The breach was caused by unauthorised access to Dymocks' new loyalty programme provider's systems, where an attacker stole and used an access key to retrieve customer records. The stolen data, which had been circulating since at least June 2023, included names, dates of birth, email addresses, and postal addresses, but no financial information.

What Happened

Dymocks was informed of the data breach on 6 September 2023 by Troy Hunt, creator of the Have I Been Pwned service. Hunt notified the company after a threat actor released customer data on a hacking forum.

The breach occurred when an external threat actor gained unauthorised access to the systems of Dymocks' new loyalty programme provider. The attacker stole an access key and then used it to access a secure environment operated by this loyalty provider, which was being used to temporarily store customer records during a migration to the new system.

Customer records were first published on the dark web on 2 September 2023. A post on the BreachForums hacking forum dated 3 September 2023 offered access to the stolen database. However, Troy Hunt reported that Dymocks customer data had been circulating in various Telegram channels and hacking forums since at least June 2023, suggesting the breach occurred months before Dymocks became aware of it.

Impact on Individuals

The data breach affected 1.24 million customer contact records, representing 836,120 unique Dymocks accounts. The leaked data consisted of names, dates of birth, email addresses, postal addresses, and genders. Notably, no financial information, such as credit card details, was included in the breach.

Whilst the absence of financial data reduces the immediate fraud risk, the exposed information could still be used for identity theft, targeted phishing campaigns, or sold to other criminals. The combination of full names, dates of birth, and addresses provides enough information to potentially compromise other accounts or services where customers may have used similar details.

Organisational Response

Dymocks' cybersecurity experts found evidence of discussions regarding customer records being available on the dark web. The company attributed the breach to its external loyalty programme provider, stating that the breach occurred during a migration to a new loyalty system.

Dymocks confirmed it will only store the "bare minimum" customer data in future to reduce the impact of potential breaches. The company worked to notify affected customers and advised them to be cautious of potential phishing attempts using the stolen information.

Verification Source: View original statement