Dymocks has revealed that the data breach that saw personal information of 1.2 million customers shared online occurred while data from its loyalty program was being migrated to a new provider.

In early September it was revealed that the names, addresses and dates of birth of 1.2 million Dymocks customers had been posted online following a data breach. A week later, the book retailer confirmed that an external partner was to blame for the incident.

The company has now completed its investigation into the cyber incident, emailing customers on Wednesday with further details of how it occurred.

Impacted customers were all signed up to the Dymocks Booklover program, a loyalty program which has been running for more than two decades.

The company uses a third party company to run this loyalty program which has access to this data, along with an email marketing provider.

In June this year Dymocks switched to a new provider for this service, but during the transition process it was breached by the hackers and the personal information was compromised.

“We can now confirm that the breach occurred in relation to our new loyalty provider’s systems,” Dymocks CEO Mark Newman said.

“We have been working closely with the new loyalty provider to establish what occurred and required it to engage its own forensic expert to investigate the incident.”

The Dymocks update did not reveal who this third party provider is.

According to Dymocks, the third party stored customer data temporarily in a separate web server so that it could impart the information into its loyalty platform. It was during this time that the hackers gained access to the third-party’s access keys for the server, enabling them to access its servers and the customer data.

The update did not reveal how the access keys were taken or the identity of the hackers.

“To be clear: to date, there is no evidence to suggest that the security protection measures for Dymocks loyalty platform were compromised,” Newman said.

“This incident highlighted a vulnerability in our external partner’s security measures. Whether it is us or our partners, the security of your information was our responsibility. We are actively taking steps to prevent such incidents in the future.”

Dymocks said that it first became aware of a potential breach on 6 September. Two days later, it found that a breach “looked likely”. This was confirmed on 15 September, the company said, when customers were informed their personal information had been stolen.

Following the breach, Dymocks was criticised for collecting a range of customer data, including birth dates and genders. The company has said that it is now reviewing the information it collects from customers, and will be removing data such as birth dates so it holds the “bare minimum necessary”.

Dymocks said it has also strengthened efforts to require its third-party partners to comply with privacy laws and adhere to standards for privacy and data security, and is actively monitoring the dark web to verify if customer records are posted again.

It said that all of its partners must now ensure that additional precautions are taken in respect of access, and a Dymocks Security Page has been launched to alert customers of security events or scams.

There have been several recent data breaches which have been blamed on third-party providers. Defence Housing Australia has launched an investigation following a cyber attack on one of its third-party service providers, while Rio Tinto also recently experienced a cyber attack against one of its suppliers.

Latitude Financial experienced a major data breach this year after a “sophisticated” cyber attack on a “major vendor” used by the company. The financial company was breached after an attacker gained employee login credentials and used these to steal personal information held by two other service providers.