Online appointment scheduling tool Flexbooker is the provider of Bunnings' Drive & Collect platform and on the afternoon of December 23, Flexbooker's account on Amazon’s AWS servers was "compromised", resulting in a temporary outage.
Flexbooker says it worked with Amazon to restore operations within 12 hours.
However, says the company: "As part of the incident, our system data storage was also accessed and downloaded."
The downloaded data in question included some customers' personal information - first and last names, email addresses, phone numbers and passwords, says Flebooker, but the passwords are encrypted, and the encryption key was not accessed or downloaded.
No payment-related information is required in Bunnings' Drive & Collect system and was therefore not at risk.
Leah Balter, Bunnings' Chief Information Officer, comments on the incident: "We are aware of a data security breach experienced by one of our third party booking providers, which may include the data of some of our customers across Australia and New Zealand who have booked a timeslot when utilising our Drive & Collect service.
"We’re continuing to work with the third party provider to further understand the details of how this breach occurred, and the processes being put in place to correct it and we’re reaching out directly to any customers whose name or email address may have been accessed."
Flexbooker has also confirmed that the vulnerability giving rise to the breach has now been contained.
Leah Balter concludes: "Bunnings takes the security of our customers’ and team members’ personal information very seriously, and will carry out a thorough investigation into this incident.
"As we have taken a cautious approach with this matter, we have reported it to the Office of Australian Information Commissioner (OAIC) and posted an update on our website regarding this incident."
You can find Bunnings' response in New Zealand to this breach here.