At least 1.2 million records belonging to Dymocks customers have been circulating online following a data breach the Australian bookseller was tipped off about last week.

Dymocks notified customers with an email on Friday afternoon in which managing director Mark Newman said the company was “still investigating” the incident.

“On 6 September 2023, we became aware that an unauthorised party may have had access to our customer records,” Dymocks wrote in a more detailed notification about the breach.

“As soon as we became aware of the incident, we, together with our cyber security advisers, launched an investigation to assess what happened.

“While our investigation is ongoing and at the early stages, our cyber security experts have found evidence of discussions regarding our customer records being available on the dark web.”

Dymocks said the stolen data includes names, dates of birth, email and postal addresses, and genders but no financial information.

It is still trying to determine how exactly the data got out.

“At the moment, initial scans of our systems show no sign of penetration and we are working with our third-party partners to understand whether the breach could have occurred in their systems,” Dymocks said.

Cyber security researcher and creator of the ‘Have I Been Pwned’ service, Troy Hunt, said he disclosed the breach to Dymocks after being shown customer data that had been shared on Telegram channels.

According to Hunt, the most recent account creation date in the data was 20 June 2023 meaning the breach could have occurred months ago without Dymocks realising.

Minimise data collection

In a vlog, Hunt praised Dymocks for its quick response to the incident, but questioned why a bookstore needed to store customer birth dates and genders.

“If you’re saying you need dates of birth so that you know what sorts of books to target at [customers], would it make that much difference if you were born on the first of March 1965, versus the first of September?” he asked.

“[Dymocks] could have easily just stored the year of birth, [it] could have stored the age group in five-year brackets at time of sign up.

“There were lots of opportunities to minimise the amount of data that was collected.”

Hunt also said around a quarter of the 1.2 million records in the Dymocks dataset were flagged as ‘inactive’.

Samantha Floreani, program lead with Digital Rights Watch, told Information Age it was “concerning that Dymocks has been retaining inactive customers’ personal information”.

“As we saw from the Optus breach, when companies hold onto personal information for longer than is necessary, it puts more people at risk in the event of a data breach,” she said.

“As always, one of the best ways to reduce the harm of a data breach is to minimise the amount of personal information that is collected, stored, and shared.

“There is a pervasive culture of over-collection, and we urgently need the Privacy Act to be updated to require better information privacy and security practices from companies.”

Last week, the Office of the Australian Information Commissioner (OAIC) published its latest report from the notifiable data breaches scheme which showed 172 incidents were reported during the first half of the year.

In statements accompanying the report, privacy commissioner Angelene Falk warned of the ‘mosaic effect’ that happens when seemingly small pieces of data are leaked.

“Every piece of data that is compromised can increase the likelihood of cyber actors linking together pieces of information to gain insight or do harm,” she said.