In a statement on Tuesday, The Iconic stressed the company itself had not been hacked, but rather hackers had used data gained from other hacks to access customer accounts.

“We have recently seen an increase in fraudulent account login attempts on The Iconic, which our security and fraud teams continue to actively manage, in conjunction with our security partners,” read the statement.

“We are working with all customers to address these incidents, which are not a result of a data breach at The Iconic … we continue to work with our third party security partners to protect against all fraudulent activity.

“Our teams are also proactively intercepting unauthorised access attempts and cancelling any fraudulent orders made, in addition to providing customers with full refunds for any successful orders made that have been dispatched.”

It follows claims made on social media platforms the online retailer had substandard security measures. A news.com.au reporter set up an account to test the site’s security, and found the website lacked multi-step authentication and that it was possible to remove linked emails without confirmation sent.

It’s the latest cyber security incident to confront Australian businesses. In the week between Christmas and New Year Australia’s largest car dealership group, Eagers Automotive, revealed it had been hacked and customer data was stolen. In mid December Yakult was hacked and in September 2022 telco Optus was hit.

Responding to a post on The Iconic’s Facebook page, one angry customer said: “Hey The Iconic any reason why you’re sending out emails pretending like you’re being proactive with online security?

“Meanwhile you’ve got loads of customers waiting to hear how their personal and financial information was accessed? Once our bank flagged the suspicious activity ($1000 in transactions) the iconic just deleted my account so I couldn’t log in.

“No way to contact their customer service except using a chat bot who then says due to the high demand of contacts they’re working as quickly as possible to get back to us.”

The cyber criminals used a form of hacking known as “credential stuffing”, which Professor Nigel Phair from Monash University’s Department of Software Systems and Cybersecurity said was when hackers “get a username and password from another compromised website and plug it in to all these other websites”.

“The easiest way to get around this is multi-factor authentication,” Prof. Phair said. “It wouldn’t matter about the username or passwords being stolen.”

Professor Phair said he “thought it was cute how (The Iconic) were blaming the customers, not themselves”.

“First thing which should happen, all e-commerce company’s in this situation need to do is a risk analysis for how customers access their accounts. Multi-factor would be a really simple, easy fix.

“But they have to invest the time into risk management and then the effort into control to help their customers.

“And then when something like this happens, it’s no point to get cute in the media and say there was no breach. You have been breached and it was a cyber attack of sorts.”

A spokesman for The Iconic told The Australian: “Customers are our first priority; even though the breach hasn’t been on our behalf, we’ve seen accounts be taken over which we want to intercept. The funds that have been taken from them, that for us is the priority.

“When it comes to security and fraud measures in place, we’ve invested heavily and as part of this incident and the ongoing investigation we will be continuing to strengthen the security on our side.

“We’ve also emailed customers to be vigilant on their side, we’re not placing blame but we have given people a reminder that unfortunately it is a very common scam method.”

When quizzed on the lack of multi-factor authentication to this point the spokesman said: “We do have high level security and fraud measures in place, but there’s always room for us to strengthen. We will continue investing as part of our ongoing diligence, and (multi-factor authentication) is something that has been flagged in our investigation.”

More Coverage

Companies culling personal info as cyber threat grows

Matt Bell

Courts hack: fears for victims, informants

David Murray, Rachel Baxendale

Health drink brand hit by cyber attack

Jessica Wang

Hospitals in the dark on cyber hack

JESS MALCOLM, GREG BROWN

Joseph CarboneDigital Producer - Business

Joseph Carbone is a producer for The Australian Business Network after serving as Acting Digital Editor for The Weekly Times, Australia's foremost rural news source.

Joseph Carbone

More related stories

Wealth

Cracks showing in private credit

Money managers are spruiking the next evolution in private lending, but cracks are appearing just as retail investors step in.

Read more

Trading Day

ASX may waver amid election focus; Incitec’s warning

Election Day is May 3. Explosives, fertilisers group Incitec earnings tilted to second half. Forrest's Squadron Energy slams Dutton plan. Santos, Origin on watch after Fed emergency gas deal. Broker upgrade for Paladin. 

Read more