The Iconic promises to issue refunds to hacked customers

Online retailer The Iconic has pledged to issue full refunds to customers who have been left out of pocket following an uptick in hackers using stolen login details to access their accounts.

The company confirmed it had seen a spike in ‘credential stuffing’ – a method of attack in which hackers use lists of compromised user credentials, like email and password combinations exposed in separate data breaches, to breach other systems.

The Iconic is offering customers refunds after a rise in hackers accessing customer accounts and making fraudulent orders.
The Iconic is offering customers refunds after a rise in hackers accessing customer accounts and making fraudulent orders.

“We have recently seen an increase in fraudulent account login attempts on The Iconic, which our security and fraud teams continue to actively manage, in conjunction with our security partners,” the retailer said in a statement on Tuesday. The Iconic website itself was not hacked.

“We are working with all customers to address these incidents, which are not a result of a data breach at The Iconic.

“The security of our customer data is of the utmost importance to us, and we continue to work with our third-party security partners to protect against all fraudulent activity.”

Several customers took to the retailer’s recent Facebook posts to complain about being left out of pocket, with some claiming more than $1000 had been taken out of their bank accounts.

The business is urging customers to change their passwords and said affected customers will be offered full refunds.

“We encourage all Iconic customers to be vigilant when it comes to proactively managing their account security by regularly changing their passwords,” the company said.

Advertisement

The Iconic is the latest in a fast-growing list of Australian organisations to suffer a cybersecurity incident. As this masthead reported on Tuesday, thousands of travellers had their personal information including passport images, travel itineraries and tickets exposed online in an incident affecting Melbourne-based travel agency Inspiring Vacations.

Jere Calmes is the chief executive officer of online retailer The Iconic.
Jere Calmes is the chief executive officer of online retailer The Iconic.

St Vincent’s Health and Court Services Victoria also recently suffered debilitating cyber incidents, which have by now impacted almost every Australian.

According to the consumer watchdog’s most recent Targeting Scams report, Australians lost a record $3.1 billion to scams in 2022. Investment scams were the highest loss category ($1.5 billion), followed by remote access scams ($229 million) and payment redirection scams ($224 million).

Ashwin Ram, cybersecurity evangelist at Check Point Software, said an organisation in Australia was being attacked on average nearly 700 times a week over the past six months.

“These recent ones appear to be financially motivated, and cybercriminals are extorting as much as possible from their victims. Many attacks begin with some form of social engineering, such as the one against Court Services Victoria, where email was the delivery mechanism for initial access,” he said.

“The most common attack vectors include phishing, cloud misconfiguration, software vulnerabilities and compromised credentials, as was the case in the St Vincent’s Health breach.”

The Iconic has been consistently unprofitable in the Australian market since it was established in 2011. The online retailer cut a total of 116 roles last year after a redundancy round in February was followed by another one in August.

In November, this masthead revealed the company issued nearly $201,000 in underpayments that were discovered in the midst of upgrading its payroll and HR systems. This followed underpayments of more than $1 million between 2013 and 2019.

Most Viewed in Business

Source: Thanks smh.com