​Big W confirms customer data exposure

The discount department store ceased online shopping operations last Thursday after customer data was pre-populating as a result of a 'technical issue'.
Written by Asha Barbaschow, Contributor

Australian discount department store Big W confirmed over the weekend that it experienced a "technical issue" that saw the checkout process pre-populated with the personal information of other customers.

In a statement, Big W said it was working hard to resolve the issue that occurred between 1.50pm and 3.00pm AEDT on Thursday, which exposed the name, phone number, and address of another customer on the bigw.com.au website.

"Based on Big W's thorough investigation of the issue, we can inform you that no passwords, login details, bank account, or credit card details were compromised during this time," the company said.

"We confirm that your financial information is not at risk, and there is no need to take any action regarding your credit or other payment cards."

Big W also said there is no need to change any account details or passwords.

The company pulled down its website at 3.00pm on Thursday, and said it immediately commenced an investigation.

At the time of publication, a message was still on the company's website, informing users that its online store is currently open for browsing only.

Screenshot: Asha Barbaschow/ZDNet

Big W apologised to customers and said it is currently in the process of personally contacting customers who may have been affected. Website technicians are working to rectify the issue and restore the Big W site safely and securely, it said, which it confirmed would be performed in stages over the coming days.

"We appreciate your patience in this regard, and want to assure you that as a valued customer of Big W, we are doing everything possible to ensure this does not happen again," the company said. "We sincerely apologise for any inconvenience caused."

Big W also said it reported the incident to the privacy commissioner at the Office of the Australian Information Commissioner.

The Australian Red Cross similarly apologised last month for the leak of a database back-up containing 1.3 million rows and 647 different tables of data stemming from an online donor application form. This contained details including name, gender, address, email, phone number, date of birth, country of birth, blood type, and other donation-related data, as well as appointments they made.

"The issue occurred due to human error," Australian Red Cross Blood Service CEO Shelly Park told journalists at the time. "The back-up file contained 550,000 people who completed a web form to access a donation between 2010 and 2016.

"I wish to stress that this file does not contain the deep personal records of people's medical history or of their test results."

In a statement, the Australian Red Cross said the form it uses to collect the leaked data did not connect to its other databases which contain "more sensitive medical information".

Earlier this year, online classifieds site Gumtree Australia confirmed it had been hacked, sending an email to a number of account holders in April that admitted attackers had infiltrated its system and accessed email addresses, contact names, and phone numbers.

The e-marketplace maintained that account passwords were not obtained and that it does not store payment information on its site, which it said means no payment information had been compromised.

Australian department store David Jones revealed last October that customer details were stolen as a result of its website being hacked on September 25, 2015.

At the time, the retail giant said no customer credit card information, financial information, or passwords were stolen, as it does not store any credit card information or financial information on its website, but said the customer details that were stolen were names, email addresses, order details, and mailing addresses.

The breach came a day after Australian discount homewares chain Kmart revealed it had also experienced a breach. The Wesfarmers-owned company said no customer credit card or other payment details had been compromised; however, customer's names, email addresses, home addresses, telephone numbers, and product purchase details had been accessed in the "external privacy breach" that occurred in early September.

Editorial standards