Kings Plant Barn has contacted customers about a security breach to FlexBooker, the internet-based system it uses to organise click-and-collect bookings.
Names, email addresses and collection times were exposed.
But the gardening chain says no credit card, password details or mobile have been spilled.
A Kings customer forwarded the Herald a copy of an email sent this morning with the subject line "An Important Privacy Update".
He was surprised to receive the alert. "I'm not a club member, just ordered some plants via click-and-collect when it was the only way to buy stuff during the lockdown," he said.
Yet the email was also familiar, with its text closely matching an alert he received from Bunnings last week.
That's no coincidence. Both Kings and Bunnings use the cloud-based FlexBooker to organise click-and-collect, along with many other retailers around the world.
And on January 7, the US-based firm revealed a group of hackers had stolen data on December 23. The cyber-heist saw details from some 3.7 million accounts compromised.
Since then, a number of retailers around the world that use FlexBooker have issued alerts to their customers, including Bunnings' Australian and NZ operations on January 13.
In the Kings email this morning, general manager Chris Hall says "We have contacted FlexBooker requesting further information, and are reviewing the ongoing usage of this booking system as part of our investigation."
He adds, "There's no action you are required to take at this stage in response to the breach. We just wanted to make sure you were aware of it and to please be cautious of any unusual activity on your email account."
Customers who do notice anything awry are told to contact Netsafe.
Why did it take so long for Kings to issue an alert?
"We are sincerely disappointed that we were only informed of the data breach via Bunnings public relations response last week," Kings head of marketing Natalie Allen told the Herald.
"While only a small number of our customers were affected in comparison to the millions of Bunnings customers, I think our greatest disappointment is that FlexBooker did not inform us as a paid customer of their software service so that we could advise our customers more promptly.
"We are following the recommendations by the Privacy Commission in this instance and have an investigation underway, but the security and protection of our customers is our number one priority. The email was sent within a few hours of us learning of the incident that occurred last year, as we wanted our customers to be informed so any suspicious activity could be actioned accordingly."
FlexBooker released a notice in the first week of January, admitting that its cloud systems were targeted.
"On December 23, 2021, starting at 4:05 PM EST our account on Amazon's AWS servers was compromised, resulting in our temporary inability to service customer accounts, and preventing customers from accessing their data," it said.
"As part of the incident, our system data storage was also accessed and downloaded. In response to the outage, we worked closely with Amazon to restore a backup, and were able to restore operations within 12 hours."
It's unclear how the attackers were able to compromise the FlexBooker account and whether human error such as cloud misconfiguration had anything to do with it.
According to FlexBooker, the stolen information included customers' full names, email addresses and phone numbers. It claimed that no payment card details were compromised, although according to HaveIBeenPwned, "partial credit card data" was taken.
Customer passwords were encrypted, and the encryption key was not accessed or downloaded, FlexBooker said.
The company added, "As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. "