Select Page

Incident: The Iconic promises refunds after a spate of fraudulent transactions on customer accounts | ABC News Australia

Incident: The Iconic promises refunds after a spate of fraudulent transactions on customer accounts | ABC News Australia

Australian Retail Breach, 09 January 2024

Australian retailer The Iconic, promises refunds after a spate of fraudulent transactions on customer accounts

While not directly hacked, the unauthorised third party used a technique known as ‘credential stuffing’

Company Statement: SUSPECTED UNAUTHORISED ACCESS
Source: The Iconic promises refunds after a spate of fraudulent transactions on customer accounts | ABC News Australia

View more incidents relating to Retail sector.

Update 11 Jan 2024: Customers of The Iconic at risk of being defrauded due to lack of payment verification measures | ABC News Australia
the online retailer also confirmed that a transaction “may be made” as it does not require a customer to verify their CVC numbers.

 

YouTube player

 

Online retailer The Iconic has vowed to refund customers who have been left out of pocket by thousands of dollars after their accounts were compromised and fraudulent orders were made without their permission.

Many customers have been left out of pocket by thousands of dollars and have struggled to contact The Iconic and get a timely response. The Iconic confirmed affected customers would be compensated.

The Iconic’s response stated says it has not been the victim of a cyber attack, but rather a credential stuffing attack, where hackers use leaked email and password combinations from other sites. The company vows to refund affected customers.

Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites. This type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application.

As part of this investigation, we are working closely with expert cyber security partners to assess the impact of the incident. We have notified law enforcement authorities including the Police and the Australian Cyber Security Centre, as well as the Office of Australian Information Commission (OAIC). This investigation remains ongoing.

The Iconic Breach Statement

 


About The Author

Steven Kirby

I provide independent and practical consultancy services through raising awareness and fostering the energy for change that delivers improved business management of information security governance, risk and compliance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please follow the Source link to the original article to support the content owner. We only provide a brief summary with metadata to assist in categorisation.

More Australian News

How a notification wiped a business from social media | A Current Affair

Like most small businesses, Rebecca relies on social media for her brand. She spent years building her skincare line, even paying for ads on the platforms. But within seconds- it [...]

Key Trends in Cyber Security and Data Privacy (2026): a General Counsel lens

Cyber security and data privacy are now core governance tests - demanding clear decision-making authority, disciplined escalation and evidence … [...]

Australia’s New ADM Transparency Obligation: OAIC Signals a Broad Reading Ahead of December 2026

On 18 May 2026, the Office of the Australian Information Commissioner (OAIC) released its Issues Paper on the new automated decision-making (ADM) … [...]

Tracking pixels are one of many tracking tools that are often used by businesses to gain insights and target advertising effort across the internet … [...]

Legacy systems may be out of sight, but they're rarely risk-free. From forgotten databases to unsupported software, ageing technology gives attackers … [...]

Unfolding in real time: Artificial intelligence is reshaping cybersecurity

Key takeaways The cybersecurity capability of next-generation frontier artificial intelligence (AI) models is increasing rapidly. Large language … [...]

NSW Government Bulletin: Managing employee social media content in the public sector

Over recent years, the increase in social media activity across different platforms has facilitated opportunities for employees to comment on a broad … [...]

Australia: Pixel Perfect – The regulator addresses use of tracking pixels

On 11 June 2026, the Office of the Australian Information Commissioner (OAIC) published two determinations against Medmate Australia Pty Ltd (Medmate) … [...]

Discover how modern corporate investigations are shifting from email to chat and encrypted apps. Learn essential strategies for defensible forensic… [...]

Australian Cyber Aware - As It Was 2606 - June 2026

This monthly review provides a curated summary of Australian and New Zealand cyber, privacy, and information security developments identified during … [...]

Key Trends in Cyber Security and Data Privacy (2026): a General Counsel lens - Governance Institute of Australia

Cyber security and data privacy are now core governance tests – demanding clear decision-making authority, disciplined escalation and evidence that … [...]

Shares
Share This

Discover more from Australian Cyber Aware

Subscribe now to keep reading and get access to the full archive.

Continue reading