Dymocks discloses breach after dark web data leak

Australian book retailer Dymocks is the latest large organisation to disclose a data breach, with information on up to 836,000 accounts compromised.

The retailer sent a notification to customers on Friday, saying it “became aware” of the cyber security incident on September 6.

“We have become aware that some of our customer information may have been compromised,” managing director Mark Newman wrote.

“We are still investigating this but we wanted to be proactive and warn you that there is a chance that this has occurred.”

Have I Been Pwned (HIBP) put the actual breach date at June 20, and said that stolen data consisted of 1.2 million customer records and 836,120 unique email addresses.

Dymocks did not provide any numbers in its own breach notification, saying that the incident remained under investigation.

“While our investigation is ongoing and at the early stages, our cyber security experts have found evidence of discussions regarding our customer records being available on the dark web,” it wrote.

The retailer said that customer records held on its system contained fields such as date of birth, postal address, email address, mobile number, gender and “membership details such as your gold expiry date, account status, member created date and card ranking.”

It asked customers “to be vigilant” in monitoring for phishing or scam attempts using the stolen data.