Farmers and Whitcoulls owner James Pascoe Group sends data breach notification to Privacy Commissioner

A cyber attack saw some Farmers stores reduced to cash-only operations over the weekend. Photo / Andrew Warner

James Pascoe Group, the owner of Farmers, Whitcoulls, Pascoes The Jewellers and Stewart Dawsons, has sent the Office of the Privacy Commissioner (OPC) notice of a data breach.

“We were notified of a breach by James Pascoe Group yesterday,” a spokeswoman for the OPC told the Herald.

The Privacy Act 2020 requires an organisation to report a serious data breach to the OPC, but also limits what the Privacy Commissioner can say while a breach is being assessed.

“Information about the nature, cause and scale of the breach are best directed to the James Pascoe Group,” the OPC spokeswoman said.

Over the weekend some Farmers stores were reduced to operating on a cash-only basis and at least one Whitcoulls store was forced to close after the group was struck by IT issues, which also affected its phone system. A Whitcoulls staff member in Wellington told Business Desk, “The whole back end’s down - the intranet, the phones, everything”.

When the Herald called James Pascoe Group this morning, a spokeswoman said the company had released a media statement, but declined to forward it. Asked if the group had anyone who could answer questions about the IT issues, she said no comment. Asked if the group had a communications manager, she said “no comment”. The group’s head of IT and brand manager did not respond to messages.

Two Farmers Card users spoken to by the Herald said they had not had any communication about the breach incident.

One, who attempted to shop at Farmers’ Albany store on Saturday, said staff were stationed by the door, informing customers that electronic payment systems were down. They did not know why.

The other had emailed a query via the Farmers Club website, asking if any of her personal details or credit card information had been compromised. A customer services rep replied an hour later: “Following the recent cyber-attack, we can confirm that your credit card information is safe - Farmers do not hold your credit card details in the system”.

“We can also confirm there is no evidence to suggest your personal data has been compromised.”

None of the companies in the James Pascoe Group - owned by rich listers Anne and David Norman - appeared to have any information about the cyber attack on their websites.

READ MORE: ‘The whole back end is down’: James Pascoe stores face IT issues

In statement to BusinessDesk at 5.30pm yesterday, James Pascoe Group said:

“Over the weekend, the James Pascoe Group experienced a cyberattack. Our security systems detected the attack quickly, minimising any potential damage. This affected our store telephone lines, customer service contact email and other IT systems. We are investigating further but most of the systems have been restored. We would like to thank our customers for their patience during this disruption.”

The OPC’s guidelines say: “Under the Privacy Act 2020, if your organisation or business has a privacy breach that either has caused or is likely to cause anyone serious harm, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.”

Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.