Now David Jones gets hacked


news David Jones today notified customers that it had become the latest casualty in a hacking spree which appears to be targeting Australian retailers.

The retailer said in a statement today that it had recently advised a number of its online customers that a third party exploited a vulnerability in its website to extract limited customer information. The information obtained was restricted to customer name, email address, order details and mailing address.

No credit card information, financial information or passwords were obtained as David Jones said it does not store any credit card information or financial information on its website. According to the retailer, there is so far no indication that the stolen information has been misused in any way.

“As soon as David Jones learned of the incident, we moved swiftly to prevent any further unauthorised access,” the retailer said. It has directly contacted customers who were affected, as well as informing the Australian Federal Police, the Attorney-General’s Department and the Office of the Australian Information Commissioner of the situation and consulting with “cyber security experts”.

“David Jones takes its customers’ privacy seriously,” the company said. “We have security procedures in place to protect our customers’ information when using our webstore. This type of unauthorised access is a crime and unfortunately, cybercrime is a persistent threat in today’s world. Despite our best efforts, no business is immune and we sincerely apologise that this has occurred.”

The retailer believes the vulnerability which was used to access its data has been shut down.

“We are committed to making this right and are taking action to reduce the likelihood of this happening again. We are reviewing our systems, security measures and working with expert security consultants. Protecting our customers is of paramount importance to us,” it said.

The news comes as hackers appear to be targeting retailers more generally across Australia at the moment.

National retailer Kmart this morning revealed it had called in the Australian Federal Police and the Office of the Australian Information Commissioner to investigate an IT security breach which it has confirmed saw customers’ data accessed by unknown parties.

Who’s next? As I wrote about the Kmart incident:

I suspect that this kind of breach is more or less a dime a dozen at the moment — and that we’re not hearing about a lot of the activity. In this sense, security is a bit like an iceberg — there are doubtless many more corporate breaches of this nature swimming below the surface unreported. It will be fascinating to see how many finally come up for air if compulsory data breach legislation ever passed the Federal Parliament.

Image credit: Eva Rinaldi, Creative Commons


  1. I has a shower thought this morning

    Dispite the best security in the world. Someone will find a way or a weakness

    Much like breaking into a protected shop

  2. Principle #1 of cyber-security: Assume the client has already been penetrated.
    Principle #2 of cyber-security: How many top-rank company officers will have to lose access to the server?


    • Principle #1 of cyber-security: Never give retailers your personal information – Its NONE of their business.

      • Agreed: some offer 30% immediate discounts and if this isn’t a warning sign worth heeding then the species has no hope!

  3. I’m not surprised that KMart and DJs have been hacked. Its also worth pointing out that Sussan’s marketing website was hacked earlier this year as well.

    The market, in general, has been slower for the retail sector. Given that, its not hard to see that IT would be expected to tighten their belt a little – usually security tends to be amongst the first to bear that brunt.

    Target and the other retailers in the US were a warning for everyone – I wonder if retail around the world sat up and paid attention. If not, they’re about to end up in a world of hurt.

    Ultimately IT security is an exercise in futility, in a manner of speaking, that needs to be undertaken. You need to accept you’ll be hacked, but the key is making sure you have a plan to respond when you do.

  4. CSO mag are questioning whether both of these attacks are related to unpatched IBM Websphere vulnerabilities –

    David Jones also get a ‘C’ from the folks at SSL Labs (see Whilst this indicates they’re relatively up to date on patching things like poodle and the like, they don’t have TLS 1.1 or 1.2 enabled so probably haven’t updated the server build recently.

Comments are closed.