OAIC welcomes Kmart Australia breach notification after customer data hack

Major retailer Kmart has called in forensic investigators and notified its Australian customers of a significant breach of the company’s security that has seen customer details of customers’ online purchases stolen from its systems en masse.

The Wesfarmers-owned company – which generated $4.55 billion in revenue on the back of 18 percent annualised earnings growth in its latest financial year – advised customers via email and sighted by Fairfax Media |on its Web site]] that it had been hit by an “external privacy breach” that facilitated the theft of customers’ name, email address, delivery and billing addresses, phone numbers and details of past product purchases.

“This breach only impacts a selection of customers who have shopped online with Kmart Australia,” the company advised, noting that “immediate action was taken to stop any further information being accessed” as soon as the company found out about the breach.

The company had engaged “leading IT forensic investigators” to look into the breach, and had engaged the Australian Federal Police and Office of the Australian Information Commissioner (OAIC) to help with the investigation.

The OAIC has set up an information page on the breach, noting that the organisation is “waiting to receive further information about the incident from Kmart Australia once its own investigation is further progressed.”

The OAIC is “encouraged” about Kmart’s proactive response and the fact that it voluntarily notified the OAIC about the incident, the organisation wrote, noting that it received 110 voluntary data breach notifications in 2014-15 – an increase of 64 percent on the previous year.

“Notification can be an important mitigation strategy that has the potential to benefit both the organisation and the individuals affected by a data breach,” the OAIC wrote.

Kmart Australia wasn’t offering any additional information for now, and there was no indication of what kind of breach had occurred or when it had begun.

Industry experts repeatedly point out that it can be some time between when a breach occurs and when it is discovered, with a 2015 IBM-Ponemon Institute report noting that it takes 256 days on average to even detect that a breach has occurred.

Retailers have regularly been targeted by attackers keen to steal payment-card and other information, with Experian’s 2015 Data Breach Industry Forecast noting months ago that the trend was getting worse.

Last month, digital security firm Gemalto said some 888 data breaches had occurred worldwide in the first six months of this year, with 246 million data records stolen. Large data breaches “continued to expose massive amounts of personal information and identities”, the firm warned, with the top 10 breaches accounting for 81.4 percent of all compromised records.

Gemalto’s figures pegged a sharp decline in the percentage of breaches attributable to retailers – from 38 percent of all records last year, to 4 percent during the same period this year.

Yet while the Kmart Australia breach may be relatively small in sheer numbers terms, it is significant in affecting a high-profile retailer with which many Australians have commercial relationships.

And while Kmart has suggested the breach was due to external causes, forensic analysis will also need to explore the company’s extensive network of retailers as well. A recent Clearswift report found that 3 out of 4 businesses have been hit by a breach in the last year due to employees, ex-employees, contractors or partners and suggested that 63 percent of breaches were inadvertent.

Last year, online retailer Catch of the Day made news after informing customers it had been hit by a breach – three years earlier. And it is far from the only retailer to be hit: Telstra’s Cyber Security Report 2014 suggested that 41 percent of Australian companies had experienced a major security incident in the past three years.