Department store chain David Jones today began informing customers of a large-scale data breach which saw attackers gain access to the retailer's website to pilfer sensitive personal details.
David Jones revealed an unnamed third-party exploited a vulnerability in its IBM WebSphere-based website to steal "limited" information about its customers.
It's the second attack in a week on a retailer with an ecommerce platform based on the WebSphere technology - Kmart Australia yesterday revealed it had suffered a similar breach.
The stolen David Jones data includes customer names, email addresses, order details and mailing addresses, the retailer said.
It stressed that no credit card details, financial information or passwords were accessed. The retailer uses a payments gateway and does not store customer financial data internally.
The company said it became aware of the attack last Friday and acted "swiftly" to prevent further unauthorised access.
David Jones said it had reported the attack to the Privacy Commissioner and the federal police.
It declined to provide detail on who was behind the attack, and said it was working with "cyber security experts" and the AFP on the issue.
It said it had closed down the vulnerability that allowed the attackers to gain entry into its website.
David Jones warned customers not to fall prey to phishing attempts, advising it would not request customers to provide financial details over the phone or email.
"If customers have not received a message from David Jones regarding this situation they have not been impacted," the retailer informed affected consumers.
"We are committed to making this right and are taking action to reduce the likelihood of this happening again.
"We are reviewing our systems, security measures and working with expert security consultants. Protecting our customers is of paramount importance to us."