Big box update

Bunnings' customers in data breach

They have been caught up in a cyber security breach affecting 3.7 million people worldwide through online booking system FlexBooker

Customers who have used Bunnings's contactless drive and collect service may have had some of their personal information stolen after the software firm behind the service experienced a major security breach.

FlexBooker is a popular tool for scheduling appointments used by Bunnings for its drive and collect orders.

A few days before Christmas, FlexBooker sent a data breach notification to customers, confirming the attack and that the intruders "accessed and downloaded" data on the its Amazon cloud storage system.

"On December 23, 2021, starting at 4:05 PM EST our account on Amazon's AWS servers was compromised," reads the notification, adding the intruders did not access "any credit card or other payment card information".

In the "incident alert", FlexBooker said it worked to restore a backup within 12 hours. It also said customer passwords included in the data were encrypted and the encryption key was not accessed or downloaded, and "will continue to work with Amazon to maintain security".

Bunnings chief information officer Leah Balter said the company was aware of the FlexBooker data security breach, which might include the data of some customers who had booked a time slot with its drive and collect service. Ms Balter told 9News:

The customer information shared through this third party provider is limited to full name and email address only. Bunnings' customers are not required to enter sensitive personal information through this provider, such as passwords, mobile numbers, or credit card information, so we are confident that none of these categories of customer data have been compromised.

The retailer is working with Flexbooker to understand how the breach occurred and determine the extent of its impact.

Bunnings also encouraged its customers to be cautious of any unusual activity in their email accounts and to regularly change passwords "as a precaution". Ms Balter said:

Bunnings takes the security of our customers' and team members' personal information very seriously, and will carry out a thorough investigation into this incident.

Bunnings said it had notified the Office of the Australian Information Commissioner (OAIC). It introduced the drive and collect service in April 2020 at 250 stores across Australia in response to the COVID-19 pandemic.

  • Sources: The Canberra Times, 9News, Bleeping Computer and Waikato Times (Stuff NZ)
  • bigbox