Dymocks has blamed a third-party provider for a devastating data breach that saw the personal information of 1.2 million customers posted on the dark web.

The Australian book retailer notified customers last week that it had become aware on 6 September that an “unauthorised party may have had access” to its customer records.

The company has now confirmed that 1.24 million customer contact records have been “stolen and made available on the dark web”, as reported by Information Age last week.

In an update from Friday, Dymocks blamed the huge data breach on an unnamed third-party.

“While our investigation is ongoing, the compromise appears to have occurred in the systems of an external data partner,” Dymocks CEO Mark Newman said in an email to customers.

“All of our efforts are now focused on understanding if and how this occurred despite the security measures of that partner.”

Newman added that Dymocks’ own systems had not been breached.

“To date our investigations have established that Dymocks controlled systems were not compromised,” he said.

“Dymocks security measures for its internal systems appears to have been effective in protecting our customer’s information.”

The information obtained by the hackers and posted on the dark web includes names, dates of birth, emails, postal addresses and genders of Dymocks customers.

“We confirm that none of the information published consists of passwords, identification such as driver’s licences or any other highly sensitive information such as transaction information, payment information or credit card details,” Newman said.

Dymocks was informed of the data breach by Have I Been Pwned founder Troy Hunt, who was shown that customer data had been shared on Telegram channels. He said the most recent account creation data in the data was 20 June this year, meaning the data breach may have occurred months ago.

Hunt also questioned why a bookstore was collecting and storing information such as birth dates and gender.
“There were lots of opportunities to minimise the amount of data that was collected,” Hunt said.

There have been several recent high-profile data breaches recently in Australia that have been blamed on third-party providers.

This month, Defence Housing Australia launched an investigation after a cyber attack on one of its third-party service providers.

Earlier this year Latitude Financial suffered a major data breach after a “sophisticated” cyber attack on a “major vendor” used by the company. This breach occurred when the attacker gained employee login credentials and then used these to steal personal information held by two other service providers.

As part of the breach, the drivers licences of 100,000 Latitude customers were stolen.

Rio Tinto also recently suffered a cyber attack against one of its suppliers that may have exposed the personal data of former and current Australian employees, while the ACT government is investigating a breach of its email gateway systems provider Barracuda Networks.

Earlier this year a hacker used a Deakin University staff member’s username and password to steal student information through one of the university’s third-party providers, obtaining the personal data of more than 45,000 people. Soon after this happened, 10,000 of these students received an SMS scam message.