Home Dymocks' Data Breach: What Marketers Need to Ask Themselves Compliance Dymocks' Data Breach - what marketers need to ask themselves. Earlier this month Dymocks became the most recent Australian corporation to experience a large-scale data breach. Notifying their database by email, Dymocks confirmed that 1.24 million customer contact records had been impacted and are available on the dark web. Information includes customers names, dates of birth, email addresses, postal addresses and gender. Dymocks confirmed that financial information was not breached. As can often happen in these circumstances, Dymocks became aware of the breach on the 6th of September when a concerned third party, Troy Hunt creator of the ‘Have I Been Pwned’ service, disclosed the breach after being shared evidence of Dymocks customer data on the dark web. Dymocks promptly responded – In notifying all customers they confirmed that “while investigations are ongoing and at the early stages, Dymocks’ cybersecurity experts have found evidence of discussions regarding customer data on the dark web” Dymocks also launched an internal investigation and began collaborating with the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC). Whilst the investigation is still ongoing, Dymocks have reported that they believe the breach was due to unauthorised access to one of their third-party partner’s systems, and that to date it does not appear that there was any unauthorised access to their own system. This incident is yet another live reminder that all Australian businesses need to take the steps required to best protect their customer databases and minimise data breaches (or at the very least the impact that a data breach can have on a customer). While unfortunate for Dymocks, this is not an isolated incident – the OAIC has reported that they were notified of 409 breaches in the first half of 2023. Organisations must take preventive measures when it comes to data privacy and protection. Ask yourself these questions: 1. Do you have an avenue for third-party reporting of potential data breaches? The concerned third-party who disclosed the potential breach to Dymocks, said that “attempting to contact businesses about data breaches can be very difficult, there is usually no specific avenue to report a data breach, and using the general ‘contact us’ page can lead to the disclosure not getting immediate attention”. While in this instance a contact from LinkedIn was used to notify Dymocks, this is not an adequate process for a business to rely on. As an organisation it is prudent to implement a specific avenue that is easily available to the public for concerned third parties to report potential data breaches. It is also imperative that this avenue (inbox etc) is carefully monitored by your business so that your data breach response plan can be actioned as soon as possible. 2. Do you have a quick and effective response plan to a potential data breach? Dymocks fast response plan has been commended . As an organisation you should have a plan for how to deal with a potential data breach in a quick and effective way. Including what and who to disclose in a notification. The right assessment needs to take place to ensure you identify who and how your business will contain the breach and investigate it, who needs to be notified of the breach and if and when to contact the OAIC. 3. Are you minimising the data you store? All organisations should focus on data minimisation – which is ‘limiting the collection of personal information’ to what is directly relevant and necessary to accomplish a specified purpose. The data should only be retained for as long as is necessary to fulfil the purpose. a. Are you only collecting data that is necessary? An organisation should only collect personal data that is necessary for its business. While we do not know the specific reasons around why Dymocks collected the data it did, privacy enthusiasts have already started questioning the need for a bookstore to collect customer’s gender and date of birth. The suggestion is that instead, Dymocks could have collected just the birth year, or even age in a 5-year bracket. This alternate approach would have been far less valuable for malicious actors while potentially still serving the purposes that the business had hoped collecting exact birthdates would. When considering your own business’ risk exposure, ask yourself how you can get the same kind of information in a way that minimises harm in the event of a breach. b. Are you only storing relevant data? A business should not hold on to personal information for longer than necessary. Systems should be put in place to delete old profiles and inactive users’ data. It has been reported that a quarter of the customer records impacted were flagged as inactive, - this issue is not uncommon, it was also seen with the Optus data breach. This could potentially cause a business extra grief, especially since the penalties for serious or repeated offences increased in November 2022 to be the “greater of $50 million, 3 times the value of the benefits obtained or attributable to the breach, or 30% of the corporations “adjusted turnover” during the ‘breach turnover period). As an organisation you need to ensure your whole team is serious about data privacy and protection. The fines are big, the damage to your brands reputation can be bigger but most of all is the impact a breach can have on your Consumers Trust in the way you handle their data. This is the greatest impact of all. FIND OUT FIRST, STAY CONNECTED Sign up to receive ADMA newsletters, updates, trends, special offers, events, critical issues and more Job role*Agency Account Manager/ExecutiveAgency Account/Strategy DirectorCDOCEO / Managing DirectorClient Service / Sales ManagerClient Service/Sales DirectorCMO / CCO / Marketing DirectorCreative Director / HeadData Analyst / Scientist / EngineerDesigner/Copywriter/Creative ManagerEarly Career Data Analyst / Scientist / EngineerHead of Analytics / Analytics LeaderHead of Category/Customer Experience/InsightsHead of Marketing/BrandHead of ProductHR/Learning and Development ManagersIT Director/ManagerLegal/RegulatoryMarketing ConsultantMarketing Executive / CoordinatorMarketing Freelancer / ContractorProduct / Brand / Digital / Communication ManagerSenior Data Analyst / Scientist / EngineerSenior Marketing/Brand ManagerOther You may unsubscribe at any time using the link provided in the communication. View our Privacy Policy. Filter Resources Filter Courses Capability Capability Campaign Integration Compliance Customer Experience Marketing Technology Insights Learnings Brand Development Content Format Content Format Information sheet Member-only Press-release Article Blog Case Study Data Event Infographic Media Coverage Research Tool-kit Video Webinar Whitepaper Topics Topics CMO Spotlight Global Forum Global Forum 2023 Resource Compliance Resources CEO Blog Compliance Regulatory Content Copywriting Creative Data Data-driven Marketing Digital Campaigns Leadership Social Media Thought Leadership Article 07th Jul 2022 14 mins Australian brands failing to personalise digital experiences, new Deloitte research says More than half of Australia’s top 100 consumer brands are crossing the creepy line, with Deloitte’s analysis revealing many brands fail to offer any incentive in exchange for consumers’ creating an account with them. As privacy regulations here and overseas evolve, new Deloitte research offers some powerful insights for digital marketers to help pivot closer to a consumer-first approach to using data. Article 07th Jul 2022 16 mins Consumers catch on to privacy and data-sharing, GDMA survey shows Attitudes to privacy in the age of big data are evolving but for Australians, the big message is that trust is paramount as regulators and markets alike adapt to a fast-changing digital marketing ecosystem. 09th Jun 2022 9 mins The Regulators: The ACCC Oversees Competition and Consumer Laws and is Reviewing the Digital Industry The Australian Competition and Consumer Commission is the leading regulatory overseeing important regulatory changes and developments in Australia. It's vital to stay up to date with changes in the regulatory environment, read about them here. 09th Jun 2022 11 mins Changes: Regulations, Laws and Compliance Always Evolve Legislation and the work of regulatory bodies like ACMA, ACCC and the OAIC are always evolving over time. Sometimes it’s technology that leaps ahead and forces changes that lawmakers haven’t considered before. Other times, consumer needs or industry expectations have evolved to force us to consider different regulations. 09th Jun 2022 13 mins Avoiding Deceptive Conduct: Charities, Social Media Influencers and Businesses Can All Get Caught It can be easy to get carried away with sales promises, headlines and great customer offers but Australian laws and regulators come down hard on misleading and deceptive conduct and claims. It's best to steer clear of deceptive and misleading conduct, read on how you can. 09th Jun 2022 17 mins Regulations for Competitions: Trade Promotion Rules Competitions and promotions are great to grab attention, generate conversation and gather data but there are plenty of rules to be considered before they are brought to life. Load More
Article 07th Jul 2022 14 mins Australian brands failing to personalise digital experiences, new Deloitte research says More than half of Australia’s top 100 consumer brands are crossing the creepy line, with Deloitte’s analysis revealing many brands fail to offer any incentive in exchange for consumers’ creating an account with them. As privacy regulations here and overseas evolve, new Deloitte research offers some powerful insights for digital marketers to help pivot closer to a consumer-first approach to using data.
Article 07th Jul 2022 16 mins Consumers catch on to privacy and data-sharing, GDMA survey shows Attitudes to privacy in the age of big data are evolving but for Australians, the big message is that trust is paramount as regulators and markets alike adapt to a fast-changing digital marketing ecosystem.
09th Jun 2022 9 mins The Regulators: The ACCC Oversees Competition and Consumer Laws and is Reviewing the Digital Industry The Australian Competition and Consumer Commission is the leading regulatory overseeing important regulatory changes and developments in Australia. It's vital to stay up to date with changes in the regulatory environment, read about them here.
09th Jun 2022 11 mins Changes: Regulations, Laws and Compliance Always Evolve Legislation and the work of regulatory bodies like ACMA, ACCC and the OAIC are always evolving over time. Sometimes it’s technology that leaps ahead and forces changes that lawmakers haven’t considered before. Other times, consumer needs or industry expectations have evolved to force us to consider different regulations.
09th Jun 2022 13 mins Avoiding Deceptive Conduct: Charities, Social Media Influencers and Businesses Can All Get Caught It can be easy to get carried away with sales promises, headlines and great customer offers but Australian laws and regulators come down hard on misleading and deceptive conduct and claims. It's best to steer clear of deceptive and misleading conduct, read on how you can.
09th Jun 2022 17 mins Regulations for Competitions: Trade Promotion Rules Competitions and promotions are great to grab attention, generate conversation and gather data but there are plenty of rules to be considered before they are brought to life.