Bunnings Confirms Some Customer Data Is Caught up in FlexBooker Breach

Bunnings Confirms Some Customer Data Is Caught up in FlexBooker Breach
Image: Getty

Cloud-based scheduling platform FlexBooker suffered a large data breach recently that appears to have affected some 3.7 million people. While the casualty list is growing globally, Bunnings has become the latest known victim of the data breach, with reports indicating private customer data has been exposed.

FlexBooker sells an online scheduling tool that assists with setting up meetings, reservations, and appointments. It is understood Bunnings used this platform for help with its Drive & Collect service.

It is reported, however, that Bunnings customers were being told of the breach through well-known breach website Have I Been Pwned and not by Bunnings.

Bunnings chief information officer Leah Balter confirmed with Gizmodo Australia that customers’ data could be included in the leak.

“We are aware of a data security breach experienced by one of our third party booking providers, which may include the data of some of our customers who have booked a timeslot when utilising our Drive & Collect service,” she said.

“As soon as we were made aware of the breach, we reached out to customers whose data may have been accessed.  We’re continuing to work with the third party provider to further understand the details of how this breach occurred, and the processes being put in place to correct it.”

BleepingComputer reported  last week that FlexBooker’s unfortunate data situation was kicked off last month when a denial-of-service attack disrupted the company’s operations just days before Christmas. The amount of people affected is pinned at 3.7 million.

According to Have I Been Pwned, the compromised information includes names, phone numbers, email addresses, passwords, and, in some cases, partial credit card information.

But customer information shared through FlexBooker, Bunnings says, is full name and email address only.

Bunnings’ customers are not required to enter sensitive personal information – such as passwords, mobile numbers, or credit card information – through this provider, so Balter says she’s confident that none of this type of info has been compromised.

“Bunnings takes the security of our customers’ and team members’ personal information very seriously, and will carry out a thorough investigation into this incident,” she added.

Update 11/01/2022 at 7.50am AEDT: This post has been updated to include comment from Bunnings CIO Leah Balter. We will make further updates as required.