Bunnings stresses little risk to customers from FlexBooker data leak

Bunnings customers who have used its ‘click and collect services are among 3.7 million people globally whose personal data have been involved in a breach.

For its part, Bunnings stressed that the risk to its customers was minimal as they were not required to enter sensitive personal information through this provider.

Scheduling platform FlexBooker had a portion of its customer data compromised after a data breach occurred on its AWS servers on December 23.

According to Leah Balter, Bunnings Chief Information Officer, "We are aware of a data security breach experienced by one of our third-party booking providers, which may include the data of some of our customers who have booked a timeslot when utilising our Drive & Collect service.
  
Balter said the company is continuing to work with the third-party provider to further understand the details of how this breach occurred, and the processes being put in place to correct it. "And we’re reaching out directly to any customers whose name or email address may have been accessed.  We’ve also posted an update on our website regarding this incident."
  
"The customer information shared through this third-party provider is limited to full name and email address only. Bunnings’ customers are not required to enter sensitive personal information through this provider, such as passwords, mobile numbers, or credit card information, so we are confident that none of these categories of customer data have been compromised."
  
She said Bunnings takes the security of our customers’ and team members’ personal information very seriously, and will carry out a thorough investigation into this incident.  

"Bunnings uses third-party software platform FlexBooker for its click and collect services."

In a post, the scheduling platform reported its account on Amazon’s AWS servers was compromised resulting in its “temporary inability to service customer accounts, and preventing customers from accessing their data”.

The data taken from the servers included first and last names, email addresses and phone numbers, according to FlexBooker. Credit card details and other payment card numbers were not accessed, as per the statement.

In response to the outage, FlexBooker said it worked closely with Amazon to restore a backup, and were able to restore operations within 12 hours. FlexBooker said it is working further with Amazon to understand what happened.

FlexBooker is an online booking and scheduling software used by brands such as GoDaddy and Chipotle.