A tale of two breaches: Bunnings and the South Australia government

The dangers of third-party data processors have been laid bare after a pair of attacks exposed the customer data of a major Australian retailer and jeopardised the digital identities of 80% of South Australia government employees—but different approaches to data collection appear to have made one of the breaches far more damaging than the other.

Why the Bunnings breach’s scope was limited

Names and email addresses of potentially thousands of customers of Bunnings—Australia’s largest home-improvement retailer, with 375 trading locations nationwide and nearly 50,000 employees—were identified as having been leaked in the December 2021 breach of US-based FlexBooker, from which details about 3.7 million accounts were stolen.

Bunnings had adopted FlexBooker nearly two years earlier to support its contactless Drive & Collect service, which was created in the last days before Melbourne’s first COVID-19 lockdown in March 2020 forced stores to close to customers and shift to click-and-collect services instead.

Designed in three days, the service was rolled out over the next five days, and Bunnings trained its entire employee base on the system within three weeks “to get it out in time before the first lockdown,” CIO Leah Balter told an analytics industry forum last year.

“We were really late to the party on digital, and we had to pivot really, really quickly. Because COVID forced customers to shop in very different ways, we had to design a whole new model for customers to shop in anticipation that stores might be closed”, she told the forum.

FlexBooker served its purpose in supporting Bunnings’ Drive & Collect service through five more Melbourne lockdowns—spanning a total of 262 days—but its underlying security exposure became clear only after the platform was hacked and customer data was published on hacker forums in December 2021.

Those details, which were stolen from the company’s AWS cloud-based platform by a cybercriminal group calling itself Uawrongteam, were being traded on hacker forums and included names, emails, driver’s licence photos, phone numbers, and encrypted passwords.

Yet the exposure of Bunnings customers to the breach was minimised because, Balter recently confirmed to the New Daily newspaper, the company had taken a “cautious approach” in designing its service, collecting minimal personal details that had shielded them from a more damaging compromise.

“Bunnings’ customers are not required to enter sensitive personal information through this provider,” Balter told the New Daily, “so we are confident that none of these categories of customer data have been compromised.”

Confidence in having minimised its collection of personal information may be keeping Bunnings positive about its risk exposure, but Ajay Unni, founder of security consultancy StickmanCyber, warned that “incidents like these can lead to significant reputational damage. Many companies including Bunnings rely on vendors like FlexBooker for a variety of services”.

But businesses often have no choice but to use such services, Unni said. “Given the value of these third-party providers, simply avoiding these partnerships to remove the risk of a cyberattack is not a solution.” So, “businesses should acknowledge the existence of third-party risk and work on understanding their exposure,” he advised. “Defining their tolerance to risk goes a long way in combating supply-chain attacks.”

South Australia’s breach stole a teasure trove of data

Increasing exposure to supply-chain attacks is creating new headaches for the government of South Australia, which in 2021 suffered an attack on its digital driver’s licence service. Then came the even more problematic compromise of almost 80,000 employees’ details just before Christmas 2021. Department of Treasury and Finance chief executive David Reynolds told a Parliamentary committee that Frontier had transferred a file containing the SA government’s staff details out of the secure payroll system and onto its internal network—which was hit by a ransomware attack.

The stolen details—which include name, data of birth, tax file number, home address, and bank account details—were stolen by cybercriminals after a successful Conti ransomware attack on the state’s payroll provider, Frontier Software. The company worked with local cybersecurity firm CyberCX to analyse the attack and “confirmed evidence of some data exfiltration”, the company admitted in December 2021.

That left state government authorities “deeply disappointed” and pushed them into damage control as they sought to avoid the exploitation of the stolen data for identity theft and criminal activity. “All public sector employees [outside of the Department of Education]… should assume that their personal information has been accessed,” SA treasurer Rob Lucas said in announcing the breach.

With about 100,000 employees in the state’s public sector workforce, the breach represents the compromise of about 80% of that workforce—forcing the government to warn banks, state superannuation provider SuperSA, and other agencies to be on the lookout for fraud.

The Australian Taxation Office blocked tens of thousands of employees from accessing their ATO Online accounts while it investigated the breach, and this month the SA government announced that it had served Frontier Software with a formal breach-of-contract notice.

Whatever the long-term impacts of the breach, it is another headache for a state that has a long history of outsourcing IT services and has been a customer of Frontier Software since 2001.

Authorities said it was too early to talk about dumping Frontier, but in the meantime the third-party exposure has left tens of thousands of employees nervously watching and waiting. “Being locked out from data, especially financial data, can bring even the largest companies to their knees,” said Paul Haskell-Dowland, a professor of cybersecurity practice at Edith Cowan University’s School of Science.

As is always the case after a data breach, people—SA government employees and Bunnings customers in these cases—must be “alert to any emails, text messages or phone calls from people requesting personal information or access to devices,” he said, noting that “criminals may have access to personal and financial information that could add legitimacy to any malicious campaign”.