Stolen customer data from Australian online wine seller Vinomofo has appeared for sale on a Russian-language cybercrime forum.
Vinomofo last week announced it had “experienced a cyber security incident where an unauthorised third party unlawfully accessed” its customer database on a testing platform, adding this was not linked to its live website.
It did not state when the breach occurred.
The database exposed during the breach contained a range of sensitive customer and member details of reportedly up to 500,000 customers, including name, date of birth, address, email address and phone number.
The company has offered assurance that it "does not hold identity or financial data such as passports, drivers’ licences or credit cards/bank details," alluding to the highly sensitive data exposed during the recent Optus data breach.
Vinomofo insists the attack is of low risk to its customers – a conclusion reached after an assessment was performed by its "cyber security and forensic specialists."
But the damage may already be done, with the impacted data having allegedly appeared on a Russian-language cyber crime forum in an advert which now states the data has already been sold.
Furthermore, the cyber criminal advert states the impacted database has 700,000 users, and is 17GB in size.
More bad news: Aussie wine retailer @vinomofo's data appeared for sale yesterday on a Russian-language cybercrime forum. The advert says the data has now been sold. It says the database has 700,000 users and is 17 GB. Analysis to come. #auspol #infosec pic.twitter.com/Vkr2kBoGpT
— Jeremy Kirk (@Jeremy_Kirk) October 20, 2022
Analysis performed on a batch of sample data revealed data fields pertaining to notes made by call centre staff – one of which was labelled "custom_do_not_call_reason", and filled in as "Not Drinking Anymore," suggesting that more nuanced, personable customer information may have been exposed and sold online.
Some Twitter users report having received a notification of the breach from Vinomofo, despite allegedly never having held a direct account with them.
"According to their msg I was a customer 'of a winery [they] represent'. Helpfully they don’t tell me which winery," said Twitter user Matt Armstrong.
Cloudy coverage attracts criticism
The wine dealer has attracted ample criticism for its arguably scant coverage of the incident, as the pecise number of customers exposed in this breach is still largely unconfirmed.
While Vinomofo has provided statements regarding the type of data breached, it hasn't explicitly stated the amount of data breached, or even when it happened.
Furthermore, The Sydney Morning Herald reports a spokesperson for Vinomofo said no further information would be released.
"In the interests of the privacy of our customers and partners, and to reduce the risk of attempts by scammers to target them, we are not publicly releasing any further details about the incident," he said.
Information Age reached out to Vinomofo to ask whether the company had been upfront and transparent with its customers, but the question remained unaddressed in its reply.
"Vinomofo does not hold identity or financial data such as passports, drivers’ licences or credit cards/bank details," it said.
"Our investigation established that no passwords, identity documents or financial information were accessed," it added.
In a Reddit post regarding the cyber incident, user 'FearlessMessage' said, "It's great that companies are being more open and upfront, but I don't think they're renowned enough to go public on an incident that hasn't resulted in a data loss."
"If every company emailed and made a public statement for a cyber security breach/hack/attack/incident, we would be inundated," they added.
Impacted customers, on the other hand, continue to voice dissatisfaction over Vinomofo's communications.
According to The Sydney Morning Herald, an anonymous Vinomofo customer said they "wanted to know when the breach occurred and exactly which data had been taken."
What's next?
Vinomofo appears to be taking the conventional steps of an incident management plan, such as continuing contact with clients and reporting the incident to relevant government agencies.
"As soon as we were alerted to the suspected incident, we immediately commenced an investigation with leading cyber security and forensic specialists and took steps to further secure our IT environment and strengthen our systems," said Vinomofo.
"We also reported the matter to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC)."
The wine dealer said it is contacting customers so they can take "simple, precautionary steps" to protect their information and avoid potential scams.
If you are a Vinomofo customer or member concerned that you may have been impacted by this recent cyber security incident, Vinomofo suggests reading its FAQ page or making contact directly for further information.