Book retailer Dymocks has identified the source of a data breach, affecting 1.24 million customer records, as an “external data partner”.
In an update posted late last week, the company said its investigations remained ongoing but had so far “established that Dymocks-controlled systems were not compromised”.
“All our efforts are now focused on understanding if and how this occurred, despite the security measures of that partner,” it said.
CEO Mark Newman wrote in a letter to customers that he was “devastated” by the incident.
“As an Australian owned, family company that has a successful legacy of serving Australian customers for 144 years, I cannot begin to express how devastated the team and I feel about this incident,” he wrote.
“We apologise unreservedly that the compromise has occurred, and we’re committed to looking for ways to further strengthen the measures that we and our partners take to keep your information safe.”
Newman added that customers should anticipate one further update once the investigations are complete, to share “final findings”.
Dymocks said that in addition to cooperating with authorities, it had engaged “independent forensic experts to act on our behalf to monitor the dark web and take-down the data that has been released on the dark web, where this is possible.”
“We are also using independent cyber security experts to conduct a complete review of our systems,” the company said in a revised FAQ.
“[Though] it appears that Dymocks controlled systems were not compromised … we want to ensure that we’re always looking for ways to enhance our security.”