The dangers of third-party data processors have been laid bare after a pair of attacks exposed the customer data of a major Australian retailer and jeopardised the digital identities of 80% of South Australia government employees\u2014but different approaches to data collection appear to have made one of the breaches far more damaging than the other.Why the Bunnings breach\u2019s scope was limitedNames and email addresses of potentially thousands of customers of Bunnings\u2014Australia\u2019s largest home-improvement retailer, with 375 trading locations nationwide and nearly 50,000 employees\u2014were identified as having been leaked in the December 2021 breach of US-based FlexBooker, from which details about 3.7 million accounts were stolen.Bunnings had adopted FlexBooker\u00a0nearly two years earlier to support its contactless Drive & Collect service, which was created in the last days before Melbourne\u2019s first COVID-19 lockdown in March 2020 forced stores to close to customers and shift to click-and-collect services instead.Designed in three days, the service was rolled out over the next five days, and Bunnings trained its entire employee base on the system within three weeks \u201cto get it out in time before the first lockdown,\u201d CIO Leah Balter told an analytics industry forum last year.\u201cWe were really late to the party on digital, and we had to pivot really, really quickly. Because COVID forced customers to shop in very different ways, we had to design a whole new model for customers to shop in anticipation that stores might be closed\u201d, she told the forum.FlexBooker served its purpose in supporting Bunnings\u2019 Drive & Collect service through five more Melbourne lockdowns\u2014spanning a total of 262 days\u2014but its underlying security exposure became clear only after the platform was hacked and customer data was published on hacker forums in December 2021.Those details, which were stolen from the company\u2019s AWS cloud-based platform by a cybercriminal group calling itself Uawrongteam, were being traded on hacker forums and included names, emails, driver\u2019s licence photos, phone numbers, and encrypted passwords.Yet the exposure of Bunnings customers to the breach was minimised because, Balter recently confirmed to the New Daily newspaper, the company had taken a \u201ccautious approach\u201d in designing its service, collecting minimal personal details that had shielded them from a more damaging compromise.\u201cBunnings\u2019 customers are not required to enter sensitive personal information through this provider,\u201d Balter told the New Daily, \u201cso we are confident that none of these categories of customer data have been compromised.\u201dConfidence in having minimised its collection of personal information may be keeping Bunnings positive about its risk exposure, but Ajay Unni, founder of security consultancy StickmanCyber, warned that \u201cincidents like these can lead to significant reputational damage. Many companies including Bunnings rely on vendors like FlexBooker for a variety of services\u201d.But businesses often have no choice but to use such services, Unni said. \u201cGiven the value of these third-party providers, simply avoiding these partnerships to remove the risk of a cyberattack is not a solution.\u201d So, \u201cbusinesses should acknowledge the existence of third-party risk and work on understanding their exposure,\u201d he advised. \u201cDefining their tolerance to risk goes a long way in combating supply-chain attacks.\u201dSouth Australia\u2019s breach stole a teasure trove of dataIncreasing exposure to supply-chain attacks is creating new headaches for the government of South Australia, which in 2021 suffered an attack on its digital driver\u2019s licence service. Then came the even more problematic compromise of almost 80,000 employees\u2019 details just before Christmas 2021. Department of Treasury and Finance chief executive David Reynolds told a Parliamentary committee that Frontier had transferred a file containing the SA government\u2019s staff details out of the secure payroll system and onto its internal network\u2014which was hit by a ransomware attack.The stolen details\u2014which include name, data of birth, tax file number, home address, and bank account details\u2014were stolen by cybercriminals after a successful Conti ransomware attack on the state\u2019s payroll provider, Frontier Software. The company worked with local cybersecurity firm CyberCX to analyse the attack and \u201cconfirmed evidence of some data exfiltration\u201d, the company admitted in December 2021.That left state government authorities \u201cdeeply disappointed\u201d and pushed them into damage control as they sought to avoid the exploitation of the stolen data for identity theft and criminal activity. \u201cAll public sector employees [outside of the Department of Education]\u2026 should assume that their personal information has been accessed,\u201d SA treasurer Rob Lucas said in announcing the breach.With about 100,000 employees in the state\u2019s public sector workforce, the breach represents the compromise of about 80% of that workforce\u2014forcing the government to warn banks, state superannuation provider SuperSA, and other agencies to be on the lookout for fraud.The Australian Taxation Office blocked tens of thousands of employees from accessing their ATO Online accounts while it investigated the breach, and this month the SA government announced that it had served Frontier Software with a formal breach-of-contract notice.Whatever the long-term impacts of the breach, it is another headache for a state that has a long history of outsourcing IT services and has been a customer of Frontier Software since 2001.Authorities said it was too early to talk about dumping Frontier, but in the meantime the third-party exposure has left tens of thousands of employees nervously watching and waiting. \u201cBeing locked out from data, especially financial data, can bring even the largest companies to their knees,\u201d said Paul Haskell-Dowland, a professor of cybersecurity practice at Edith Cowan University\u2019s School of Science.As is always the case after a data breach, people\u2014SA government employees and Bunnings customers in these cases\u2014must be \u201calert to any emails, text messages or phone calls from people requesting personal information or access to devices,\u201d he said, noting that \u201ccriminals may have access to personal and financial information that could add legitimacy to any malicious campaign\u201d.