Another Australian firm – Early Settler, a furniture retailer – has been bit by a data breach, an example that cyber insurance companies and brokers may send to their clients to emphasise the importance of staying protected against cyber risks.
In an exclusive report from Cyber Daily, Early Settler confirmed a data breach that resulted in customer names and contact details being posted on a hacking forum.
The breach was revealed on Aug. 3 by a forum user named “worry,” who claimed to have data on 1.1 million customers.
“Earlysettler.com.au (esrgroup.com.au) is a big furniture and retail company in Australia,” worry posted, under the title “Earlysettler.com.au 1m.”
The user added: “Dumped in July 2024 by me, total users 1.1M. Contains full names, emails, phone, address, dob, etc.”
The hacker provided a link to sample data, mostly comprising internal loyalty rewards information, customer reference numbers, and several survey results. Most fields in the sample data were empty.
While some email addresses had been exposed in prior data breaches, others were unique to this event. The data was listed for sale at US$2,000, with contact details provided for potential buyers.
An Early Settler spokesperson confirmed the breach.
“Early Settler has become aware that a third party has named our company online alongside claims they have accessed some of our customers’ contact information. We understand this news may cause concern and wish to assure our customers that we are investigating this as a priority, including a review of our security systems as a precautionary measure,” the spokesperson told Cyber Daily.
The spokesperson said that the breached data includes names, phone numbers, email addresses, delivery addresses, and dates of birth. However, they stressed that no payment details were compromised, as the company does not store credit or bank card information.
The breach involved data from an archived database dating back to July 2022, with no customer information from beyond that date affected. The dataset includes complete dates of birth for a small number of customers and month of birth for some.
“We apologise for any concern that this news may cause and would like to assure our customers that we have no evidence of any broader impact to our systems or information,” the spokesperson for Early Settler said, as reported by Cyber Daily.
The company said it will notify its customers. Authorities, including the Office of the Australian Information Commissioner (OAIC), the Australian Cyber Security Centre (ACSC), the New Zealand Office of the Privacy Commissioner (OPC), and CERT NZ, have been informed.
“We take cybersecurity seriously and are committed to keeping all our stakeholders updated as we work to respond to this incident,” the company said. “We would like to assure our customers that we are taking all appropriate steps to remediate this situation as swiftly as possible and have also implemented sophisticated monitoring systems to ensure we are aware of any further developments.”
Many Australian businesses have been hit by waves of cyberattacks this year. Last month, Perth’s Harry Perkins Institute of Medical Research reported a cyber incident, with hackers claiming to have released a significant amount of data after it declined to pay a ransom.
During the same month, Healthed, an Australian healthcare education provider, confirmed a data breach affecting its event participants. Wattle Range Council on South Australia’s Limestone Coast also reported a data breach that exposed approximately 43,000 files from an outdated server.