Tradies at risk as Total Tools hit with a data leak
The hardware chain is scrambling to limit the impact of 38,000 customers’ data being ‘illegally compromised’, potentially by professional hackers.
Hardware chain Total Tools has suffered a major data leak that is believed to have impacted 38,000 customers covering credit card numbers, email addresses and log-in details, in an act likely committed by professional cyber hackers.
Total Tools, owned by Metcash, has been working on the data leak for a number of days after it first discovered unusual and suspicious activity within its IT systems, The Australian can reveal, and is still investigating the true size and scope of the data leak.
After an initial investigation by a third party forensic cyber specialist, Total Tools is understood to have estimated that customer data linked to 38,000 of its shoppers has been illegally compromised.
The compromised information includes names, email addresses, credit card data and log-in details.
Total Tools chief executive Richard Murray said the company believed the cause of the data leak had been fixed, and it was writing to customers specifically impacted by the incident.
“The cyber incident has illegally compromised certain personal information, however Total Tools is confident that the cause of this incident has been removed from its website,” Mr Murray said on Thursday.
“The data that has been illegally compromised includes customer name, email address, Total Tools password, mobile number, shipping address, and credit card details of customers who shopped or registered on our website recently.”
Mr Murray said as soon as the company identified the potential impact of the cyber incident, its team, along with a forensic and cyber security expert, took immediate steps to secure its website and assist with the response.
“We continue to work with this expert on this matter,” he said.
“Total Tools’ communications to impacted customers recommended precautions they can take to lower the risk of their information being potentially misused.
“In addition to contacting impacted customers, Total Tools has also implemented several additional cyber security measures to minimise the likelihood of this occurring again.”
Mr Murray, the former chief executive of JB Hi-Fi and boss of billionaire Solomon Lew’s Premier Investments’ retail arm, said Total Tools would keep customers updated.
“We are dedicated to supporting all impacted customers throughout this process and ensuring they can continue to shop instore and online at Total Tools with confidence.”
Earlier on Thursday, Total Tools’s website was momentarily shut down due to a technical error over the updating of prices, but this had nothing to do with the data leak.
Mr Murray said Total Tools alerted the Australian Cyber Security Centre and Office of the Australian Information Commissioner to the cyber incident.
Total Tools is the latest Australian business to have sensitive data taken in a cyber breach.
In late 2022 publicly-listed health insurer Medibank’s market value collapsed by $1.7bn as hackers linked to an online Russian criminal forum threatened to expose the health records and other sensitive information of millions of Australians.
Eventually the cyber attack, which compromised the records of 10 million customers, cost Medibank more than $30m and regulator APRA forced the insurer to set aside a capital adequacy requirement of $250m after “weaknesses” were identified in its IT infrastructure.
Telco Optus was another high-profile victim of data leaks and was later hit with legal action from the Australian Communications and Media Authority, which argued the carrier breached the Telecommunications (Interception and Access) Act 1979. It was later reported in The Australian that data breach cost Optus as much as $140m.
This year about half of Australia’s population was impacted by a cyberattack on MediSecure, a healthcare information service that provides electronic prescriptions and a prescription monitoring service.
Other Australian corporations that suffered data leaks and cyber attacks in recent years included tech company Canva, financial services company Latitude and a number of universities and health services.
Originally published as Tradies at risk as Total Tools hit with a data leak