Major brands hit in credit card hack
Details stolen in coordinated attack
Anthony Albanese has vowed to look at any measures possible to protect businesses from scams after thousands of online shoppers had their credit card details stolen by hackers in a major coordinated attack.
Large businesses including Dan Murphy’s, Event Cinemas and Guzman Y Gomez were targeted by cybercriminals who fraudulently accessed over 15,000 customers online accounts since November last year.
Scammers who purchased the stolen login details from overseas cyber-criminals then racked up thousands in online purchases.
Impacted customers had either saved their credit card details on company websites or have gift cards or store credit for online purchases.
The Prime Minister said cyber crime was a “huge issue” and represented a genuine threat to Australia and its economic security.
“This is a scourge and there are so many vulnerable people being ripped off who’ve acted in absolutely good faith and we need to make sure they are protected,” Mr Albanese said on Wednesday.
Founder of cybersecurity firm Kasada, Sam Crowther, who has been tracking the ‘credential stuffing’ scheme, said cyber criminals took to online chat rooms to brag about buying iPhones, clothing and almost $800 of alcohol using unsuspecting Australians’ money.
He said the majority of online crime groups are being run out of Eastern Europe and warned similar attacks would follow given the strong financial viability of the scam.
“This is the first real concerted effort in Australia that we’ve seen,” Mr Crowther told NCA NewsWire. “What’s different this time is this is a large group we’ve been tracking in the US who are now turning their sights to Australia.”
A Dan Murphy’s spokesperson said less than 100 customer accounts were impacted by the fraudulent transactions as a result of email and passwords being obtained through third party breaches.
“Our team took immediate action and has been working with affected customers. Our investigations are ongoing, with a focus on the continued security of our systems and customer personal information within our environment,” they said.
Both Event Cinemas and Guzman Y Gomez have been contacted for comment.
While streaming service Binge was originally named, it has confirmed that its “customers remain unaffected by credit card scams, including the one reported by Kasada, and no credit card details have been compromised”.
Major online retailer The Iconic was also hit by the scheme and vowed earlier this week to refund customers whose accounts were used to place fraudulent orders.
Credential stuffing refers to when hackers use previously stolen passwords from one website and try to reuse them elsewhere.
Australia’s Cyber Security Centre received over 94,000 reports of cybercrime over the past financial year, an increase of 23 per cent from 2021-22.