This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

digiDirect

Summary

Australian consumer electronics retailer digiDirect suffered a data breach affecting 304,337 customers when a threat actor using the alias "Tanaka" exfiltrated customer database records and posted them on dark web forums. The breach, discovered on September 29, 2024, exposed personal information and partial payment card details. DigiDirect Group owns digiDirect, Booktopia, Angus & Robertson, and computer hardware retailer Mwave.

What Happened

On September 29, 2024, a threat actor known as "Tanaka" posted on BreachForums claiming to have successfully breached digiDirect and stolen a database containing over 304,000 customer records. The attacker provided sample data as proof of the breach and mentioned a potential accomplice named "Chucky," though their involvement remains uncertain.

The breach affected digiDirect's customer database, containing information collected through online purchases and account registrations. The stolen data was publicly shared on cybercrime forums, making it accessible to other malicious actors. The breach was verified and added to Have I Been Pwned's database on October 25, 2024.

Impact on Individuals

The breach exposed sensitive customer information including:

  • Full names and email addresses
  • Phone numbers
  • Billing and shipping addresses
  • Dates of birth
  • Partial credit card numbers
  • Company names (for business customers)
  • AIPP (Australian Interest-Free Payment Plan) verification status

This combination of personal and financial information creates significant risks for affected customers, including:

  • Identity theft using the combination of name, address, and date of birth
  • Credit card fraud or unauthorized transactions
  • Targeted phishing attacks impersonating digiDirect or related brands
  • Account takeover attempts on other services where customers may have reused credentials

The exposure of both contact and financial data makes affected individuals particularly vulnerable to sophisticated fraud schemes.

Organisational Response

As of the initial disclosure, digiDirect had not issued a public statement about the breach. There was no official confirmation from the company or evidence of notification to affected customers through the Office of the Australian Information Commissioner's Notifiable Data Breaches scheme.

The lack of public response raises concerns about whether affected customers were properly notified and provided with guidance on protecting themselves from potential fraud and identity theft resulting from the breach.

[extra.impact] affected_individuals = 304337 individuals_note = "" data_volume_gb = 0 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement