Customer Notices

1. WHAT HAS HAPPENED

• On 6 September 2023, we became aware that our customer records may have been published on the dark web.
• On 8 September 2023, we let you know about the potential breach and recommended that you take steps to protect yourself from fraud and other scams, whilst we promptly launched an investigation to confirm what had happened.
• On 15 September 2023, we notified you again that it had been confirmed by our forensic experts that our customer records had been published on the dark web.
• Our investigation has now concluded that the cause of the breach was the unauthorised access by an external threat actor to the systems of our new loyalty provider, who stole and then used an access key to access a secure environment operated by this loyalty provider to temporarily store our customer records.
• Our forensic experts have confirmed that the customer records were first published on the dark web on 2 September 2023 by external threat actors.
• The customer records were accessed from the dark web multiple times.
• Investigation by our external forensic experts have not found any breach of Dymocks’ controlled systems in connection with this breach.

2. WHAT INFORMATION WAS AFFECTED

We confirm that the information contained in the customer contact records and published on the dark web is limited to the following information only (and varies from person to person):

• name;
• date of birth;
• email address;
• mobile number;
• postal address;
• gender; and
• membership details for Booklovers such as your gold expiry date, account status, member created date and card ranking.

No financial information such as credit card details or other payment methods or passwords are included in the compromised customer records.

3. WHAT IS DYMOCKS DOING

Dymocks is already acting to protect your data in the following ways:

• Dymocks employs a number of security protections on our Dymocks systems and data. These include constant real time Cyber Threat Detection on key parts of our systems and remediation, Data Encryption in certain circumstances, Firewalls, Anti-virus and more.
• We have engaged independent forensic experts to act on our behalf to monitor the dark web.
• We are also using independent cyber-security experts to conduct a thorough review of our systems. As mentioned above, Dymocks controlled systems were not compromised in connection with the breach but we want to ensure that we’re always looking for ways to enhance our security.

4. WHAT SHOULD YOU DO

• We recommend that you continue to remain vigilant. If you have not done so already, we strongly recommend that you take the steps in our notices sent to you on Friday 8th September and again on Friday 15th September to protect yourself from potential fraud and scams by cyber criminals. You can also access our recommended steps in our FAQs.
• We will continue to update our FAQs with key developments regarding the investigation as well as any scams impersonating Dymocks that we become aware of.

5. WHO HAS DYMOCKS TOLD?

• Dymocks has informed all customers.
• Dymocks has been engaging with both the Office of the Australian Information Commissioner and the Australian Cyber Security Centre since the 8th of September and has been cooperating in terms of responding to information requests and complying with our legal obligations.
• Dymocks has now provided a formal notification to the Office of the Australian Information Commissioner and has kept the Australian Cyber Security Centre up to date.

6. WHAT IF YOU WANT TO DELETE YOUR DATA?

• Dymocks respects your right to remove personal data.
• To make a request for removal of your personal information from Dymocks systems please visit this link: Data Deletion Request.
• Dymocks will ensure that on completion of processing all controlled and third party systems have your information removed. It may take up to a week for this to occur.

7. WHAT IF YOU HAVE QUESTIONS?

The best place to go if you have more questions is our FAQs. We continue to update these for relevant developments and to address common questions we are receiving about the Incident.

If you have further questions or concerns, it is best to direct them to our customer support team on: 1800 849 096 or help@dymocks.com.au. Our team will be working additional hours to answer customer questions regarding their Booklover data.

1. WHAT HAPPENED?

On 6 September 2023, we became aware that an unauthorised party may have access to our customer records (Incident).

As soon as we became aware of the Incident, we, together with our cybersecurity advisers, promptly launched an investigation to assess what happened.

While our investigation is ongoing we have made significant progress and our independent forensic experts have confirmed that our customer records are available on the dark web.

We are very sorry this has happened and the focus of our investigations is to understand how this has occurred.

2. HOW (WHERE) WAS THIS UNUSUAL ACTIVITY DETECTED?

The unusual activity was discovered by a concerned third party who informed us. We immediately launched an internal investigation with the assistance of our cybersecurity advisers and independent forensic experts, who have now confirmed that our customer records are available on the dark web.

3. HAS A MALICIOUS THIRD PARTY ACCESSED DYMOCKS’ SYSTEMS?

This is part of our investigation and to date, it does not appear there has been any unauthorised access to our systems. Dymocks takes privacy and security seriously and has a range of measures in place to secure your personal information.

Although our investigations are ongoing, we do believe that one of our third-party partner’s systems were subject to unauthorised access. Whilst we continue to keep all avenues open, we are working with the identified partner to focus on understanding if and how their systems were accessed despite their security measures.

4. HOW LONG DID THE ACCESS LAST?

To date, we do not have any evidence of any access to our systems and we are working hard to rule this out. As identified at point 3, we are working with all third party partners to understand if there has been any unauthorised access to their systems.

5. HOW MANY PEOPLE HAVE BEEN IMPACTED?

At this stage of our investigation, we can confirm that 1.24 million customer contact records have be impacted.

As we value being open and transparent with our customers, we let all our customers know about the Incident on 8 September 2023 about the kinds of information involved and the steps they should take to protect themselves. We provided a further update on 15 September 2023 to confirm that our customer records had been published on the dark web.

We will keep you updated during the investigation and our assessment, as we receive more information.

We also update our Fraud Alerts Page for any scams, such as scam and fraud emails impersonating Dymocks.

6. WHAT INFORMATION HAS BEEN INVOLVED?

We confirm that the information contained in the customer contact records and published on the dark web is limited to the following information only (and varies from person to person):

• name;
• date of birth;
• email address;
• phone number;
• postal address;
• gender; and
• membership details for Booklovers such as your gold expiry date, account status, member created date and card ranking.

NO financial information such as credit card details or other payment methods or passwords are included in the compromised customer records.

7. WHAT HAS DYMOCKS DONE TO DATE?

• Our investigation is well underway. We understand the importance that you place on keeping your personal information safe and secure. We know protecting your information is a great responsibility and is front and centre in our response to the current situation.
• We took immediate containment steps, including to secure our system.
• We promptly engaged independent forensic experts to assist with our investigation of the incident (including undertaking a detailed investigation of the dark web).
• Our customer support team is available to assist customers with any questions on the data breach or related to their Booklover account. If you have any questions you can contact our customer support team on:
  • 1800 849 096 between 9am and 5pm AEST; and
  • help@dymocks.com.au
• We also take our legal obligations seriously and we are following appropriate reporting guidelines and applicable laws. We are engaging with the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).
• We are committed to being transparent about what we know and how it impacts you. We will keep you updated during the investigation and our assessment (if required).
• We are following regulatory guidance in responding to the Incident.

8. WHAT IS DYMOCKS DOING TO PROTECT MY DATA NOW AND IN THE FUTURE?

Whilst our investigation is ongoing, Dymocks is already acting to protect your data in the following ways:

• Dymocks employs a number of security protections on our Dymocks systems and data. These include constant real time Cyber Threat Detection on key parts of our systems and remediation, Data Encryption in certain circumstances, Firewalls, Anti-virus and more.
• We have engaged independent forensic experts to act on our behalf to monitor the dark web and take-down the data that has been released on the dark web, where this is possible.
• We are also using independent cyber-security experts to conduct a complete review of our systems. As mentioned above, it appears that Dymocks controlled systems were not compromised but we want to ensure that we’re always looking for ways to enhance our security.

9. WHAT SHOULD I DO IF MY DATA HAS BEEN COMPROMISED?

Given the information is on the dark web and this can be used by cyber criminals to commit fraud and other scams, we continue to recommend you consider taking the following precautionary steps to protect yourself:

1. Change your passwords for your online accounts including for your Booklovers account, social media and other online accounts (and otherwise ensure that you have sufficiently complex passwords);

2. Be alert for any phishing scams that may come to you by phone, post or email. These are emails pretending to be from a reputable company but are not actually sent by that company;

3. Ensure that you have up-to-date anti-virus software and any recommended software patches installed on your computer systems;

4. Visit Scamwatch at https://www.scamwatch.gov.au/ to keep up with current scam trends; and

5. Read further information about staying safe online at:

• the Office of the Australian Information Commissioner’s website at https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/data-breach-support-and-resources; and
• the Australian Cyber Security Centre’s website at https://www.cyber.gov.au/threats/types-threats/scams.

10. HAVE YOU PROACTIVELY NOTIFIED THE OAIC OR LAW ENFORCEMENT BODIES?

We are following all appropriate reporting requirements. We are currently engaging with the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).

11. ARE CYBER CRIMINALS INVOLVED?

Cyber criminals are involved in publishing and selling the customer records on the dark web. However, at this stage we do not know how the incident occurred and this is the focus of our investigation.

To date, there is no evidence of unauthorised access to our systems and we are working with our third party providers to see if there may have been any unauthorised access to their systems.

12. WERE MY CREDIT CARD DETAILS EXPOSED?

No. We never hold or store customer financial information (including credit card details) and this information would not be in the customer records the unauthorised party may have access to.

13. HAS MY PASSWORD FOR MY BOOKLOVERS ACCOUNT BEEN COMPROMISED?

No, it does not appear that any Booklovers passwords have been compromised.

With that said, given the information may be on the dark web and this can be used by cyber criminals to commit fraud and other scams, we recommend you consider, as a precautionary step, changing your passwords for your online accounts including for your Booklovers account, social media and other online accounts (and otherwise ensure that you have sufficiently complex passwords).

14. HAVE MY IDENTITY DOCUMENTS BEEN COMPROMISED?

No. No identity documents (such as passport number or driver’s licence details) are contained in the customer records.

15. CAN I KEEP SHOPPING WITH YOU?

Yes. We recommend you change your Booklovers password but our systems are operational and you can continue to make purchases with us.

We confirm that no passwords were involved in the Incident.

16. WHO SHOULD I CONTACT IF I HAVE ANY QUESTIONS OR CONCERNS?

We continue to monitor the situation closely and update these FAQs for relevant information.

If you have further questions or concerns, it is best to direct them to our customer support team on:

• 1800 849 096 between 9am and 5pm AEST; and
• help@dymocks.com.au

You can also visit our Fraud Alerts Page at https://www.dymocks.com.au/customer-notices/fraud-security-alerts for scam alerts. So far we are aware of one scam email impersonating Dymocks following the Data Incident.

17. WHAT IF I WANT YOU TO DELETE MY BOOKLOVER ACCOUNT?

We understand if you would like to delete your Booklover account. To request account deletion please complete the Account Deletion Request form at https://www.dymocks.com.au/data-deletion-request. Please note, deleting your Booklover account removes any personal data currently held within your account, including your purchase history and any Booklover Rewards balance. Should you rejoin the Booklover Rewards program in the future, these points, and your purchase history cannot be loaded to the new account. It may take a few days to fully delete your details from our systems. You may receive further communications from us during this period, until this process is completed.

Update: 13 September 2023

Extra vigilance and fraud & security updates

As always, please be aware of scams that propose to come from Dymocks. Dymocks will not contact you asking for payment, personal information or offer refunds via email or text message. Please never click on any links that you are unsure about. For the latest fraud and security updates, visit https://www.dymocks.com.au/customer-notices/fraud-security-alerts.

Update: 8 September 2023

We recently became aware of a data breach of customer information. We have a strong commitment to customer privacy and data security and while the magnitude of the breach has not been confirmed or determined at this stage, we are taking immediate action to investigate the incident and protect customers information.

Below is a summary of what we know, what we’re doing, and how we’ll continue to communicate further updates.

We apologise for any inconvenience or concern this situation causes customers. We are committed to providing updates as our investigation progresses. All necessary steps will be taken to safeguard customer data.

How we will communicate

The latest updates will be published on this webpage.