Security Alert, Blog

Dymocks Says Data Breach Was Due To A Third-party ‘Partner’

Dymocks Says Data Breach Was Due To A Third-party ‘Partner’

Dymocks has issued an update regarding its data breach incident that occurred on September 6th, attributing the breach to “unauthorised access” into the systems of one of its third-party partners.

The Australian bookseller is actively investigating the breach in collaboration with its own team of cybersecurity experts and external specialists.

Dymocks has confirmed that approximately 1.24 million customer records have been compromised, with evidence that these records are now accessible on the dark web.

In their latest customer notice, Dymocks stated, “Although our investigations are ongoing, we do believe that one of our third-party partner’s systems [was] subject to unauthorised access. While we continue to keep all avenues open, we are working with the identified partner to focus on understanding if and how their systems were accessed despite their security measures.”

Furthermore, Dymocks is in the process of collaborating with all of its third-party suppliers to determine if any further unauthorised access to customer data has occurred.

The company has been diligent in keeping its customers informed about the incident, having initially notified them on September 8, 2023, regarding the nature of the compromised information and the necessary steps for safeguarding themselves. An additional update was provided on September 15, 2023, confirming that customer records had surfaced on the dark web.

The exposed data includes customer names, postal and email addresses, gender information, and Booklovers membership details.

While Dymocks acknowledges the presence of this data on the dark web, recent reports indicate that a hacker has claimed to possess 1.2 million sets of data from Dymocks and has been offering it for sale on a well-known clear web hacking forum.

This seller even provided sample datasets on September 3rd, which other forum users have verified to be authentic. One forum member noted, “For what it’s worth, I can verify by correlating with other Australian breaches that at least two of the sample entries look legit because the data matches known good older breaches (Medicare I think).”

Interestingly, another member on the same forum is also advertising 1.2 million data lines from the same breach, with a sample dataset that includes details consistent with the original post, including Booklovers membership information. This secondary post was made on September 18th.

Both datasets are currently available for approximately €3.75 or slightly over $6, and anyone with sufficient site credits can unlock and utilize the data as they see fit.