Kings Plant Barn the latest retailer hit by click-and-collect data breach - NZ Herald
Kings Plant Barn the latest retailer hit by click-and-collect data breach
19 Jan, 2022 04:30 AM
4 minutes to read
Photo / File
Photo / File
Chris Keall
By Chris Keall
Chris Keall is the technology editor and a senior business writer for the NZ Herald
VIEW PROFILE
Kings Plant Barn has contacted customers about a security breach to FlexBooker, the internet-based system it uses to organise click-and-collect bookings.
Names, email addresses and collection times were exposed.
But the gardening chain says no credit card, password details or mobile have been spilled.
Read More
'No security breach' says Mitre 10 as multi-day website outage grinds on
A Kings customer forwarded the Herald a copy of an email sent this morning with the subject line "An Important Privacy Update".
ADVERTISEMENT
Advertise with NZME.
He was surprised to receive the alert. "I'm not a club member, just ordered some plants via click-and-collect when it was the only way to buy stuff during the lockdown," he said.
Yet the email was also familiar, with its text closely matching an alert he received from Bunnings last week.
That's no coincidence. Both Kings and Bunnings use the cloud-based FlexBooker to organise click-and-collect, along with many other retailers around the world.
Make it your business to know
Start your day with the latest business headlines straight to your inbox.
Enter your email address
SIGN UP
By signing up for this newsletter, you agree to NZME’s Terms of Use and Privacy Policy.
And on January 7, the US-based firm revealed a group of hackers had stolen data on December 23. The cyber-heist saw details from some 3.7 million accounts compromised.
Since then, a number of retailers around the world that use FlexBooker have issued alerts to their customers, including Bunnings' Australian and NZ operations on January 13.
In the Kings email this morning, general manager Chris Hall says "We have contacted FlexBooker requesting further information, and are reviewing the ongoing usage of this booking system as part of our investigation."
Related articles
BUSINESS
Teen hacker claims Tesla security flaw let him take control of 25 cars
12 Jan, 2022 10:34 PM
Quick Read
BUSINESS
Kiwis losing millions more to cyber attacks - but reported numbers 'tip of the iceberg'
15 Sep, 2021 06:00 PM
Quick Read
BUSINESS
Identity theft costs woman chance of buying home - but she wins payout
2 Apr, 2021 05:00 PM
Quick Read
BUSINESS
Chris Keall: Why the Reserve Bank data breach report falls short
1 Jun, 2021 06:34 AM
Quick Read
He adds, "There's no action you are required to take at this stage in response to the breach. We just wanted to make sure you were aware of it and to please be cautious of any unusual activity on your email account."
Customers who do notice anything awry are told to contact Netsafe.
ADVERTISEMENT
Advertise with NZME.
Why did it take so long for Kings to issue an alert?
"We are sincerely disappointed that we were only informed of the data breach via Bunnings public relations response last week," Kings head of marketing Natalie Allen told the Herald.
"While only a small number of our customers were affected in comparison to the millions of Bunnings customers, I think our greatest disappointment is that FlexBooker did not inform us as a paid customer of their software service so that we could advise our customers more promptly.
"We are following the recommendations by the Privacy Commission in this instance and have an investigation underway, but the security and protection of our customers is our number one priority. The email was sent within a few hours of us learning of the incident that occurred last year, as we wanted our customers to be informed so any suspicious activity could be actioned accordingly."
FlexBooker released a notice in the first week of January, admitting that its cloud systems were targeted.
"On December 23, 2021, starting at 4:05 PM EST our account on Amazon's AWS servers was compromised, resulting in our temporary inability to service customer accounts, and preventing customers from accessing their data," it said.
"As part of the incident, our system data storage was also accessed and downloaded. In response to the outage, we worked closely with Amazon to restore a backup, and were able to restore operations within 12 hours."
It's unclear how the attackers were able to compromise the FlexBooker account and whether human error such as cloud misconfiguration had anything to do with it.
According to FlexBooker, the stolen information included customers' full names, email addresses and phone numbers. It claimed that no payment card details were compromised, although according to HaveIBeenPwned, "partial credit card data" was taken.
Customer passwords were encrypted, and the encryption key was not accessed or downloaded, FlexBooker said.
The company added, "As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. "
19 Jan, 2022 04:30 AM
4 minutes to read
Photo / File
Photo / File
Chris Keall
By Chris Keall
Chris Keall is the technology editor and a senior business writer for the NZ Herald
VIEW PROFILE
Kings Plant Barn has contacted customers about a security breach to FlexBooker, the internet-based system it uses to organise click-and-collect bookings.
Names, email addresses and collection times were exposed.
But the gardening chain says no credit card, password details or mobile have been spilled.
Read More
'No security breach' says Mitre 10 as multi-day website outage grinds on
A Kings customer forwarded the Herald a copy of an email sent this morning with the subject line "An Important Privacy Update".
ADVERTISEMENT
Advertise with NZME.
He was surprised to receive the alert. "I'm not a club member, just ordered some plants via click-and-collect when it was the only way to buy stuff during the lockdown," he said.
Yet the email was also familiar, with its text closely matching an alert he received from Bunnings last week.
That's no coincidence. Both Kings and Bunnings use the cloud-based FlexBooker to organise click-and-collect, along with many other retailers around the world.
Make it your business to know
Start your day with the latest business headlines straight to your inbox.
Enter your email address
SIGN UP
By signing up for this newsletter, you agree to NZME’s Terms of Use and Privacy Policy.
And on January 7, the US-based firm revealed a group of hackers had stolen data on December 23. The cyber-heist saw details from some 3.7 million accounts compromised.
Since then, a number of retailers around the world that use FlexBooker have issued alerts to their customers, including Bunnings' Australian and NZ operations on January 13.
In the Kings email this morning, general manager Chris Hall says "We have contacted FlexBooker requesting further information, and are reviewing the ongoing usage of this booking system as part of our investigation."
Related articles
BUSINESS
Teen hacker claims Tesla security flaw let him take control of 25 cars
12 Jan, 2022 10:34 PM
Quick Read
BUSINESS
Kiwis losing millions more to cyber attacks - but reported numbers 'tip of the iceberg'
15 Sep, 2021 06:00 PM
Quick Read
BUSINESS
Identity theft costs woman chance of buying home - but she wins payout
2 Apr, 2021 05:00 PM
Quick Read
BUSINESS
Chris Keall: Why the Reserve Bank data breach report falls short
1 Jun, 2021 06:34 AM
Quick Read
He adds, "There's no action you are required to take at this stage in response to the breach. We just wanted to make sure you were aware of it and to please be cautious of any unusual activity on your email account."
Customers who do notice anything awry are told to contact Netsafe.
ADVERTISEMENT
Advertise with NZME.
Why did it take so long for Kings to issue an alert?
"We are sincerely disappointed that we were only informed of the data breach via Bunnings public relations response last week," Kings head of marketing Natalie Allen told the Herald.
"While only a small number of our customers were affected in comparison to the millions of Bunnings customers, I think our greatest disappointment is that FlexBooker did not inform us as a paid customer of their software service so that we could advise our customers more promptly.
"We are following the recommendations by the Privacy Commission in this instance and have an investigation underway, but the security and protection of our customers is our number one priority. The email was sent within a few hours of us learning of the incident that occurred last year, as we wanted our customers to be informed so any suspicious activity could be actioned accordingly."
FlexBooker released a notice in the first week of January, admitting that its cloud systems were targeted.
"On December 23, 2021, starting at 4:05 PM EST our account on Amazon's AWS servers was compromised, resulting in our temporary inability to service customer accounts, and preventing customers from accessing their data," it said.
"As part of the incident, our system data storage was also accessed and downloaded. In response to the outage, we worked closely with Amazon to restore a backup, and were able to restore operations within 12 hours."
It's unclear how the attackers were able to compromise the FlexBooker account and whether human error such as cloud misconfiguration had anything to do with it.
According to FlexBooker, the stolen information included customers' full names, email addresses and phone numbers. It claimed that no payment card details were compromised, although according to HaveIBeenPwned, "partial credit card data" was taken.
Customer passwords were encrypted, and the encryption key was not accessed or downloaded, FlexBooker said.
The company added, "As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. "
