OAIC welcomes Kmart Australia breach notification after customer data hack

Major retailer Kmart has called in forensic investigators and notified its Australian customers of a significant breach of the company's security that has seen customer details of customers' online purchases stolen from its systems en masse.

The Wesfarmers-owned company – which generated $4.55 billion in revenue on the back of 18 percent annualised earnings growth in its latest financial year – advised customers via email and sighted by Fairfax Media |on its Web site]] that it had been hit by an “external privacy breach” that facilitated the theft of customers' name, email address, delivery and billing addresses, phone numbers and details of past product purchases.

“This breach only impacts a selection of customers who have shopped online with Kmart Australia,” the company advised, noting that “immediate action was taken to stop any further information being accessed” as soon as the company found out about the breach.

The company had engaged “leading IT forensic investigators” to look into the breach, and had engaged the Australian Federal Police and Office of the Australian Information Commissioner (OAIC) to help with the investigation.

The OAIC has set up an information page on the breach, noting that the organisation is “waiting to receive further information about the incident from Kmart Australia once its own investigation is further progressed.”

The OAIC is “encouraged” about Kmart's proactive response and the fact that it voluntarily notified the OAIC about the incident, the organisation wrote, noting that it received 110 voluntary data breach notifications in 2014-15 – an increase of 64 percent on the previous year.

“Notification can be an important mitigation strategy that has the potential to benefit both the organisation and the individuals affected by a data breach,” the OAIC wrote.

Kmart Australia wasn't offering any additional information for now, and there was no indication of what kind of breach had occurred or when it had begun.

Industry experts repeatedly point out that it can be some time between when a breach occurs and when it is discovered, with a 2015 IBM-Ponemon Institute report noting that it takes 256 days on average to even detect that a breach has occurred.

Retailers have regularly been targeted by attackers keen to steal payment-card and other information, with Experian's 2015 Data Breach Industry Forecast noting months ago that the trend was getting worse.

Last month, digital security firm Gemalto said some 888 data breaches had occurred worldwide in the first six months of this year, with 246 million data records stolen. Large data breaches “continued to expose massive amounts of personal information and identities”, the firm warned, with the top 10 breaches accounting for 81.4 percent of all compromised records.

Gemalto's figures pegged a sharp decline in the percentage of breaches attributable to retailers – from 38 percent of all records last year, to 4 percent during the same period this year.

Yet while the Kmart Australia breach may be relatively small in sheer numbers terms, it is significant in affecting a high-profile retailer with which many Australians have commercial relationships.

And while Kmart has suggested the breach was due to external causes, forensic analysis will also need to explore the company's extensive network of retailers as well. A recent Clearswift report found that 3 out of 4 businesses have been hit by a breach in the last year due to employees, ex-employees, contractors or partners and suggested that 63 percent of breaches were inadvertent.

Last year, online retailer Catch of the Day made news after informing customers it had been hit by a breach – three years earlier. And it is far from the only retailer to be hit: Telstra's Cyber Security Report 2014 suggested that 41 percent of Australian companies had experienced a major security incident in the past three years.

Join the CSO newsletter!

Error: Please check your email address.

Tags Australian Federal PoliceOffice of the Australian Information Commissioner (OAIC)kmartGemaltodata privacyKmart Australiadata breachcustomer data hackCSO AustraliaOAICbreach notification

More about Australian Federal PoliceCatch of the DayFairfax MediaFederal PoliceGemaltoKmart Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts