Sydney Tools data leak exposes millions of customer and employee records

Sydney Tools, a major Australian retailer specializing in professional tools and hardware, has left a vast trove of customer and employee data unprotected, exposing tens of millions of online order records and internal employee details. The breach, stemming from an unsecured Clickhouse database, has raised significant cybersecurity concerns, particularly as the data remains accessible despite efforts to alert the company.

The exposed database contained over 34 million records of online purchases, revealing sensitive customer information, including names, email addresses, home addresses, phone numbers, and details of ordered items. This disclosure places affected individuals at risk of identity theft, phishing attempts, and targeted fraud schemes. Security researchers have warned that criminals could use the leaked data to craft highly personalized scams, referencing specific tools customers have purchased to deceive them into divulging additional sensitive information.

Beyond customer data, the breach also exposed records related to Sydney Tools’ workforce, including both current and former employees. The database contained over 5,000 employee entries, far exceeding the company’s reported workforce of approximately 1,000 staff members. This discrepancy suggests that details of past employees were also included in the leak. Among the information revealed were employees’ names, branches of employment, salaries, and sales targets. Cybersecurity experts caution that such data could be exploited for spear phishing attacks, particularly targeting high earners within the company.

Despite multiple attempts by security researchers to notify Sydney Tools about the vulnerability, the database remains exposed, leaving customers and employees at continued risk. Researchers have also contacted the company for an official response but have not yet received a statement.

Experts stress that the leak’s implications extend beyond standard cybercrimes like identity theft and phishing. Disclosing purchase records for high-value tools could facilitate physical crimes, such as targeted tool theft. Criminals could use the information to identify individuals who own expensive equipment and exploit this knowledge for burglaries.