Data Breach Announcement

 

We are extremely disappointed to inform you that Keg King has been a victim of a cyberattack.
As a registered Keg King customer this has resulted in unauthorised access to your personal information by an unknown third party. 

 

We take the security of your personal information very seriously, and we want to assure you that we have taken immediate steps to address this issue. We have removed any known vulnerabilities, updated our security monitoring and continue to monitor and re-evaluate our systems to prevent similar incidents from occurring in the future. 

 

What happened?
Multiple incursions occurred between the 27th of February and the 28th of March 2023 (Australian Eastern Daylight Time), resulting in unauthorised access to our ecommerce system via a vulnerability in the online ecommerce software. 

 

Keg King’s response
On identifying the cyberattack, the ecommerce system was taken offline to investigate and protect against further attack, and the following actions were taken: 

  • A malicious script was identified and removed.
  • Security patches were applied to protect against known vulnerabilities.
  • Security monitoring was updated.

 

What information was accessed?
Based on our investigation, the personal information which has been accessed may include your name, email, phone number, address and the “password hash” associated with your customer account. Please see further information on passwords below. 

 

NOTE: In accordance with best practices, our ecommerce software does not store credit card or financial account details.
However, on the 27th March 2023 (AEDT), as part of the cyberattack, a malicious script was installed that may have been used to “harvest” passwords and/or credit card numbers.
This script was identified and removed within 17 hours of being activated.
A small subset of customers who logged in or made purchases during this period, may have been affected.
We will contact these customers separately. 

 

What actions should you take?
We strongly recommend that you change your password. Please see further information on passwords below. 

Also, please carefully review the information that was accessed by this incident and think about whether this could result in you experiencing any harm. Some steps to consider taking to protect yourself may include: 

  • Be aware of emails and telephone calls from people requesting your personal details, (especially things like your date of birth, residential address, email address, username or passwords which are often used to verify your identity).
  • Be wary of contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media.
  • Never click on any links that look suspicious and never provide your passwords, or any personal or financial information.
  • If people call you posing as a credible organisation and request access to your computer, always say no.
  • Look out for any suspicious or unexpected activity across your online accounts.
  • Contact IDCare on 1300 432 273 or visit www.idcare.org who can provide you with additional guidance on the steps you can take to protect yourself from identity fraud.
  • If you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’ by visiting www.donotcall.gov.au/consumers/register-your-numbers.
    You can also contact your service provider and request to change your number.  

 

If, on the 27th March 2023 (AEDT), you completed an online purchase from Keg King using a credit card, please consider taking the following steps:

  • Alert your financial institution so that they can implement additional monitoring and security protocols on your account.
  • Closely monitor your financial statements for unauthorised transactions. If you identify a transaction you didn’t make, report it immediately to your financial institution.
  • Contact Australia’s three credit reporting agencies (Equifax, illion and Experian) to confirm if your identity has been used to obtain credit without your knowledge or to request for a credit ban to be put in place. 

 

Regarding Passwords

Please note that, in accordance with best practices, our ecommerce software does not store actual passwords, but stores a “hash” of your password.

A password hash is a representation of your password that simply cannot be un-hashed to retrieve the password.
When a login attempt is made with a password, a separate hash is created with the provided password. This new, temporary hash is compared with the account’s stored password hash and if the hashes match, the login attempt was successful. 

 

However, given time and resources, an attacker with a password hash, may determine the original password by applying the same hashing process to an exhaustive list of words (such as a dictionary), common passwords and/or random characters, until one matches the original hash. 

For this reason, we strongly recommend you change the password for your Keg King account. We also recommend changing passwords for any other online account where you may have used the same email and password.

 

For more information on password security, please read
https://www.cyber.gov.au/protect-yourself/securing-your-accounts/passphrases 

 

 

We understand that this may be a concerning situation, and we sincerely apologize for any inconvenience it may cause you.

Please be assured that we have followed the advice of security experts.

We have removed any known vulnerabilities, updated our security monitoring and continue to monitor and re-evaluate our systems to prevent similar incidents from occurring in the future. 

 

If you have any further questions or concerns, please do not hesitate to contact us at [email protected]

 

Thank you for your understanding and cooperation. 

The Keg King Team