Aussies $6k card fraud after retailer’s payment portal hacked
An Australian retailer’s hack has leaked concerning data and one customer has been left “infuriated” by the impact and lack of remorse.
An Australian retailer quietly revealed to customers that its payment portal had been breached with sensitive personal information “at risk”, leaving one shopper “infuriated” as his card had been hit by $6000 in fraudulent spending just weeks earlier.
But when the customer Steve, who did not want his surname used, checked the retailer’s website, he was further shocked.
“There was a note saying that they had discovered that this data was being accessed for the entire last year,” he told news.com.au.
Steve added it was bizarre that there is currently no mention of the breach anywhere online.
“I thought that was absolutely insane. How is there no repercussions? And the fact that it had happened for one year. How many customers have had their card details pinched?” he said.
The Melbourne man had been looking for a new kettle and found the cheapest offer on Australian online electrical retailer Stan Cash.
However, he said he couldn’t use PayPal to make the purchase so he used his card instead. The 50-year-old said he had never used the card online before and that was the only transaction he had used it for.
Not long after the purchase he woke up to a string of fraudulent transactions on his card.
These included three purchases with Virgin Australia totalling $3495, Uber Eats, some international transactions and one to something called ‘Sp Protech it so’ for $1800.
“I woke up to around $6000 of fraudulent transactions which took months to recover (and I) also had to wait for pending transactions to go through before the bank could act,” he said.
Do you have a story? Contact sarah.sharples@news.com.au
A few weeks later he got the dreaded email from Stan Cash and another store in the group called Billy Guyatts.
Sent in July last year, the retailer said it had identified a case of unauthorised access to the payment portal which was hosted by a third party website provider.
The email went on to tell customers that because they had made a recent purchase via one of the websites, personal information could be “at risk” including credit card information, first and last names, email addresses, mobile numbers and their billing and delivery address.
“We recommend you remain alert for any suspicious activity on the credit card you used to make the purchase. If you see any suspicious activity, you should contact your financial institution,” the email said.
“Stan Cash and Billy Guyatts do not store payment details and no customer account passwords have been compromised in this breach.’
But Steve was left infuriated, labelling the email “pathetic”.
“I was just angry as I just thought there is no apology and the fact they were palming off the blame to a third party – that was pretty poor,” he said.
He said he had to deal with fraudulent transactions all because he “bought a bloody kettle” from the retailer and his reply to their email went unanswered.
“I thought at the very least they could have replied to my email and acknowledged it. But they just brushed their hands of it,” he said.
“It’s such a horrible feeling having fraudulent transactions especially when it’s a big number like that. It’s your money and your savings and someone has helped themselves to it.”
Steve said it was a stressful period as there is no guarantee banks will refund the money.
“It would be good to see companies like that being held accountable and for them to be all over it and have much tighter security, especially when it’s involving customer’s card information,” he added.
Stan Cash and Billy Guyatts are owned by a larger company called BSR Group, which describes itself as a leading franchisor operating in the electrical retail industry throughout Australia.
A spokesperson for the BSR Group said the company deeply regrets the data breach.
“After thorough forensic IT investigations, BSR determined the risk period and then took immediate steps to notify and communicate with the potentially impacted customers, whilst simultaneously taking all reasonable steps to remediate the breach,” they said.
“We promptly notified the OAIC and the Victorian Police, and assisted customers who reported potential fraud to be contacted by the Victorian Police who were investigating the incident.”
BSR Group did not respond to questions about how many customers had been impacted or whether data had been accessed for an entire year.
Feedback received from the Victorian Police and the OAIC indicates they were satisfied with BSR’s management of the data breach was compliant and appropriate, the BSR Group spokesperson added.
The Office of the Australian Information Commissioner (OAIC) confirmed that BSR Group had notified it of the data breach.
“Under the Notifiable Data Breaches scheme, any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved,” a spokesperson added.
sarah.sharples@news.com.au