Home Articles A cyber-attack on FlexBooker compromised the personal data of Bunning’s clients

A cyber-attack on FlexBooker compromised the personal data of Bunning’s clients


In December of 2021, the third-party software firm suffered a cyber-security breach that led to the information of 3.7M clients being exposed, Bunnings was forced to warn its customers of the incident.

Although Bunnings is adamant that no sensitive information was lost in the recent cyber attack, incidents like these can lead to significant reputational damage. 

Known as ‘Supply Chain Attacks’, malicious actors go after third-party vendors like FlexBooker to infiltrate their large organisations like Bunnings, the main target.

Supply Chain Attacks picking traction

Lately, there has been a steady increase in these types of attacks as it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.

Many companies including Bunnings rely on vendors like FlexBooker for a variety of services and given the value of these third-party providers, simply avoiding these partnerships to remove the risk of a cyber-attack is not a solution. 

Things to reduce third party risk

There are things that organisations can do to reduce third party risk largely: 

Firstly, businesses should acknowledge third-party risk and work on their exposure – defining their tolerance to risk goes a long way in combating supply chain attacks.

Secondly, ensure the key stakeholders you work with understand your supply chain process and that third-party risk processes are established.

Thirdly, when your organisation identifies possible vendors to partner with, ensure that cyber-security is covered in the contract. 

Once your organisation partners with a vendor, it is important that a process is in place to continually assess and monitor risk, for example, utilising vendor risk assessment questionnaires can help you make sure that a vendor’s internal data handling practises and procedures are secure and can help you identify any possible risks.

Understanding where your most critical assets are and who has access to them is a vital component of any cyber-security strategy. 

Lastly, even with all these measures in place, due to the increase in sophistication of hackers, it is important to be always prepared and have an incident response plan in place to mitigate the impact a security incident can have on your organisation. 

Bunnings and FlexBooker is another unfortunate addition to the rapidly growing list of victims of cyber-attacks in Australia and globally.

It is important that organisations, large or small, prioritise the uplift of all facets of their cyber-security policies as well as ensuring their vendors do the same.

Adopting a proactive approach when it comes to fighting back against cybercrime is the best way to protect your business from becoming the next cautionary tale.


Ajay Unni has over 30+ years’ IT industry experience, with over 15 years as a cyber-security specialist. He is the founder of StickmanCyber, a business that helps companies mitigate their cyber-security risks.