Aussie Farmers Direct falls victim to “brazen” website hack and extortion attempt

Home delivery service Aussie Farmers Direct is the second Australian online retailer to have fallen victim to a website hack in a week, after the details of more than 5000 of its customers were exposed and posted online last Thursday.

Last week online retailer Patagonia revealed it had been the victim of a cyber-attack, with about 12,500 customer non-financial  details exposed.

The latest hack, which occurred on Thursday, involved the theft of the names, email and delivery addresses of 5149 Aussie Farmers Direct customers, a spokesperson for the company Jim Cooper told SmartCompany today.

The attack was also an extortion attempt, with the individuals or individual behind the attack demanding a “significant” amount of money, Cooper says.

No credit card or financial details were posted online because of the breach, according to the company.

Aussie Farmers Direct advised affected customers of the attack and publication of details in a statement on its website and Facebook page on Friday.

“It appears that this data has been published as part of an extortion attempt on the company,” the company said.

“Aussie Farmers Direct takes the issue of customer data privacy very seriously and we are conducting a thorough investigation.”

The company told customers it has notified the Australian Federal Police and the Office of the Australian Information Commissioner, and is now acting on their advice as well as that of independent IT security experts.

“Although we do not store credit card numbers within our systems we have also taken the precaution of contacting our banking partner about the matter,” the company said.

Cooper told SmartCompany this morning the leaked data was taken down from the website a couple of days ago.

He says the business sought to do the right thing by its customers by immediately notifying them of the breach and involving police.

“We did two things – we became aware of data being posted on site on Friday around lunchtime and by mid arvo had written to all 5000 customers directly to advise them of the breach,” he says.

“We also put a post up on Facebook more broadly to let our customers know.

Cooper says the company’s customers have understood the situation.

“By and large customers have been fantastic,” he says.

“We’ve been around about 10 years and this is the first time anything like this has happened to us. We’ll be doing anything we can to minimise what we can to prevent this from happening again.”

Michael McKinnon, security advisor at AVG, told SmartCompany this morning there are similarities with the Aussie Farmers Direct breach and a recent hack at Talk Talk in the UK.

“I think they’ve done absolutely done the right thing, involved police and Office of Australian Information Commissioner,” he says.

“I’ve seen a few compromises recently where data seems to be taken for purposes of asking for ransom for the data.”

McKinnon says it indicates hackers are becoming more ambitious.

“To me it demonstrates these attacks becoming a bit more brazen, previously the data compromises were just along lines of stealing data,” he says.

“This seems to be a deliberate attempt to compromise the data of a business.”

McKinnon thinks the message for any business that finds itself in this position is “do not under any circumstances respond”.

“Hand that information directly to the police,” he says.

He says businesses should also be on the look out for vulnerabilities.

“If you’re running a website or ecommerce platform which is vulnerable, your site could be picked out of thousands of others simply because of a known vulnerability which could be exploited,” he says.