In this advisory, we provide information around the recent Pizza Hut and Dymocks breaches which add to the dataset available post Medibank, Optus and other leaks over the past 24 months. We encourage our partners to further disseminate some of the core messaging in this advisory to your larger user and community audience.
As always, should you have any queries on the below or require further assistance please don’t hesitate to reach out to our team.
More consumer data leaked
Over the past month we have unfortunately seen a number of consumer brands hacked.
Once we hand over our personal data to an organisation, the control we have over that data and how it is used is extremely limited. What we can do however, is educate ourselves to the repercussions of handing over our data and adopt some strategies that can assist us to protect our identities and accounts.
Ask more questions…
- What does responding to this survey, providing an email address or phone number really mean to my privacy?
- How will this organisation secure these details?
- Do they really need all of this information (on me) to provide their service?
Tips to secure your account and identity
Here are a few tips to ensure that your accounts remain secure:
- DO NOT USE your work based email account for personal purposes.
- Secure any and all accounts with Multi-factor authentication. It’s almost ubiquitous now, so if this function is available ensure that you turn it on for your account.
- As counter-intuitive as this may sound, where possible use different passwords for different accounts. So if one is breached and a password leaked a user is not prone to account takeover in another account.
- Where possible consider using a phrase as a password, which will make it easier to remember. (See how easily your 8 character password can be cracked on the links below!)
- Make use of password tools that securely store passwords on your behalf. There are many secure apps for your phone, PC/ Mac and web-browsers that can assist us in ensuring we have secure passwords across our accounts.
- Spread the word on Cyber awareness. Not that we expect (or hope) that Cyber will turn into as familiar conversation as Australian house prices are, but for many generations living in a cyber world is second nature. However, for our older generations a lot of these attacks and their consequences may not be top of mind. The more educated we all are, the lesser chance we become a bigger victim of these leaks.
- You can request an organisation to delete your data. So if you believe your information is with an organisation that it doesn’t need to be, reach out to them and ask them to remove it. Unless there is a compliance or regulatory requirement for them to keep your data, they must remove it based upon your written request.
- Never send confidential information across insecure channels such as email and always verify the identity of any requesting party through at least two mechanisms (such as phone and email or phone and address etc, via independent sources)
For those that have been caught up in a past present or most likely future data leak, remain vigilant. (And let’s be honest the current wave of breaches would not appear to be slowing at this point in time).
- Be very cautious when interacting with email, SMS, WhatsApp or other Social media invitations from unknown sources.
- Ensure that you remain vigilant to potential account takeover or identity take-over activities where your account or identity may be used for fraudulent purposes.
- Be sure that you are aware of the support available to you from the company that has been caught up in the breach, along with the support that can be provided from the Government.
- And if you haven’t already done so, change your account passwords for any accounts that may be using the same email address/ username and password combination used within the Dymocks or Pizza Hut systems.
So let’s take a look at what has been breached and how this information may be used against those whose data has been leaked.
Pizza Hut
At this stage, we know that the Pizza Hut attack was completed via access to AWS hosted system and has been claimed by the ShinyHunters.
According to “Shiny” (@shinycorp), the group gained access 1-2 months ago via Amazon Web Services (AWS) using multiple entry points. They claim to have exfiltrated more than 30 million records with customers’ orders as well as information on more than 1 million customers.
The dataset released to date includes the following
- OrderId
- OrderReference
- ExternalReference
- ChannelName
- ChannelType
- ApiUserId
- ServiceType
- CreatedAt
- ChangedAt
- OrderedAt
- OrderDueAt
- StoreId
- StoreName
- CustomerId
- FirstName
- LastName
- EmailAddress
- PhoneNumber
- PostalCode
- PaymentType
- PaymentReference
- PaymentResponse
- BasketDetail
- OrderDetail
- WebHookUrl
- Source
- PosCustomerSequenceNumber
- CustomerSequenceNumber
- CheckNumber
- CheckSequenceNumber
- FullName
- GesReminder
- Status
- CreatedAtDate
- OrderDueAtDate
- GesReminderRedirected
- OrderShortId
- GesCode
- MobilePhone
- OptinEmail
- OptinSms
- UserId
- OrderNote
- baskettotal
Of note is the Opt-in information and the userID, making this information very suitable to future phishing style attacks with emails and SMS’s purporting to be from Pizza Hut.
A second leaked sample file (json file) contains 100,000 customers’ information including:
- names,
- email addresses,
- postal addresses,
- longitude,
- mobile phone numbers,
- passwords,
- service type (delivery or pickup), and
- credit card numbers.
The credit card data was encrypted and the passwords were hashed, but the other fields were all plaintext. (See our note below on passwords!)
We are aware that Pizza Hut has been in contact with customers’ that may have been impacted by the breach.
Dymocks
A listing for 1.2 million customer records allegedly from Dymock’s is now available on the Darkweb. The csv file contains the following information:
- customer_id_
- first_name
- last_name
- FullName
- gender
- email_address_
- mobile_country_
- mobile_number_
- dob
- postal_street_1_
- postal_street_2_
- state_
- postal_code_
- city_
- gold_expiry_date
- AccountStatus
- account_status
- member_created_date
- card_ranking
The data was leaked on September 3, 2023. Again the dataset is enabler for phishing style attacks against the Dymocks’ customer base. Of further concern, is that some of the dataset could be used for fraudulent account or identity take-over style activities (DOB).
HWL Ebsworth
Of real consequence to Australian Government and the larger end of town is the HWL Ebsworth attack which will unfortunately have a very long tail for big business and government departments across the country. Although not a focus of this advisory, businesses should be aware of the attack and it’s implications. We will provide more on this attack at a later date.
What is Multi Factor authentication?
From the ACSC:
…”Multi-factor authentication typically requires a combination of something the user knows (PIN, secret question), something you have (card, token) or something you are (fingerprint or other biometric).”…
Further reading:
https://www.cyber.gov.au/protect-yourself/securing-your-accounts/multi-factor-authentication
How easy is it to crack a password?
Although the passwords leaked were hashed, unfortunately passwords are able to be cracked rather simply. For those with the time and inclination the following article provides a good insight into how susceptible passwords are to cracking and the time that it takes to crack.
techrepublic.com/article/how-an-8-character-password-could-be-cracked-in-less-than-an-hour/