A tale of two breaches: Bunnings and the South Australia government

Minimising data collection limited the data exposure from third-party compromise at one of the victims.

man looking through binocs spy hacker breach infiltrate gettyimages 164644457 by selimaksan 2400x16
Selmaksan / Getty Images

The dangers of third-party data processors have been laid bare after a pair of attacks exposed the customer data of a major Australian retailer and jeopardised the digital identities of 80% of South Australia government employees—but different approaches to data collection appear to have made one of the breaches far more damaging than the other.

Why the Bunnings breach’s scope was limited

Names and email addresses of potentially thousands of customers of Bunnings—Australia’s largest home-improvement retailer, with 375 trading locations nationwide and nearly 50,000 employees—were identified as having been leaked in the December 2021 breach of US-based FlexBooker, from which details about 3.7 million accounts were stolen.

Bunnings had adopted FlexBooker nearly two years earlier to support its contactless Drive & Collect service, which was created in the last days before Melbourne’s first COVID-19 lockdown in March 2020 forced stores to close to customers and shift to click-and-collect services instead.

Designed in three days, the service was rolled out over the next five days, and Bunnings trained its entire employee base on the system within three weeks “to get it out in time before the first lockdown,” CIO Leah Balter told an analytics industry forum last year.

To continue reading this article register now

22 cybersecurity myths organizations need to stop believing in 2022