How Baby Bunting Achieved Continuous Visibility With Reflectiz 

How Australia’s leading baby retailer replaced manual processes with automated third-party script monitoring.

The Challenge: Manual Processes Don’t Scale and Regulators Don’t Wait 

Baby Bunting is Australia’s leading baby goods specialty retailer, operating since 1979, with 75 stores across Australia and 5 in New Zealand. Its e-commerce business now accounts for 22-25% of total sales, a high-volume transaction environment with a complex third-party script ecosystem to match. 

Before Reflectiz, the security team relied on manual processes to understand what scripts were running on the website. The result was a partial, static view of the environment, enough to know some of what was there, not enough to catch changes or new behaviors as they appeared. 

That gap matters more in Australia today than it did a few years ago. Following major breaches at Optus, Medibank, and Latitude, the regulatory environment has tightened significantly. Potential penalties have reached what Head of Cyber Security, Kirk Stephens described as being a potentially fatal blow to businesses. For a retailer processing payment and personal data at scale, flying blind on third-party scripts is no longer a risk that can be absorbed. 

The Liability of Not Having Visibility 

Baby Bunting works with a range of marketing analytics and retail technology vendors. Each one brings scripts that access data fields on the site. Each of those access points needs to be understood, expected, and contractually covered, especially under applicable Privacy Acts.. 

Without automated visibility, that’s an ongoing liability. Scripts change. Vendors update their tags. New behaviors appear without notice. A team relying on periodic manual review will always be behind. 

"…it gives us visibility of any changes they're making, any different data that they start capturing or processing. It allows us to make decisions on whether those changes are acceptable, expected, or not expected, and if they're compatible with our PCI and privacy requirements."

With Reflectiz in place, the team now sees changes in real time, not at the next manual review cycle. 

Turning Visibility into Vendor Accountability 

Visibility without action is just information. What changed for Baby Bunting is that Reflectiz made it easy to act on what the platform surfaces. 

When a third-party script behaves unexpectedly, accessing data fields it shouldn’t, or capturing information outside the scope of the vendor agreement, Kirk now has the specifics needed to go back to the vendor directly. 

"We can use that to ask them, 'Why are you doing this? Can you stop doing that?'"

And when a vendor can’t or won’t change the behavior, the team has the information it needs to make a real decision: amend the contract, or replace the vendor. 

"…if we find something that shouldn't be there, is that something we can then modify those agreements to accommodate, or do we need to seek an alternative for that purpose?"

That’s a different posture than hoping vendors are doing what they say they’re doing. 

A Privacy Initiative That Actually Had Evidence Behind It 

The elevated visibility Reflectiz provides didn’t just improve day-to-day operations, it unlocked a broader privacy initiative. Baby Bunting was able to use the platform’s script inventory to help establish which scripts were collecting personal data and then confirm whether appropriate contractual provisions were in place to cover that collection. 

As regulatory scrutiny increases, that kind of documented, auditable view of data flows becomes a compliance asset. It’s the difference between “we believe our vendors are compliant” and “here’s the evidence.” 

Stability Under Pressure: Peak Periods Without Security Compromises 

During high-traffic retail periods: Cyber Month, Boxing Day, end-of-year clearance sales – Baby Bunting enforces change freeze periods to keep the production environment stable. Combined with WAF and DDoS protections, the approach is designed to maintain consistent performance when it matters most. 

Reflectiz fits into this model cleanly. Continuous monitoring runs without any changes to the production environment, so security visibility doesn’t compete with operational stability during peak periods. The team gets coverage when volume is highest, without introducing any new variables. 

No Code Changes. No Delays. No Surprises. 

The deployment story is short because there’s not much to tell. Reflectiz required no code changes to Baby Bunting’s website. 

Kirk noted that the team could have accommodated additional technical requirements if needed, but they weren’t needed. The platform was up, the Discovery process (Reflectiz’s automated scan that maps all third-party scripts and data flows across websites) identified the right data sources, and the team had what they needed without touching the production environment. 

"It's definitely a big positive not having to do that. We got all the support we needed to get things up and running, and the Discovery process made sure we were getting the data that we needed."

Time to value is shorter when there’s no implementation project standing between deployment and results. 

The Business Impact 

• Continuous visibility: Automated script inventory replacing a partial manual process, with real-time alerts on changes and new behaviors 
• Vendor accountability: Specific data to challenge vendors on unexpected script behavior, and to make informed decisions when they can’t or won’t change 
• Privacy compliance: Ability to use the script information to confirm contractual coverage for key systems, as part of a structured privacy initiative 
• Operational resilience: Full security coverage during peak retail periods with no production environment changes 
• Zero developer overhead: No code modifications, no agency involvement, no internal build required 

The Bottom Line 

Baby Bunting now knows exactly what’s running on its checkout pages, and can prove it. Automated script inventory replaced a manual process that was always incomplete and always behind. Vendors are held to their agreements with specific evidence, not assumptions. 

Against a regulatory backdrop where penalties have escalated to levels Kirk Stephens has described as existential for companies, that kind of continuous, documented visibility isn’t optional. It’s how a retailer at this scale manages third-party risk without adding developer overhead, agency involvement, or production environment changes. 

For security leaders weighing the same challenge, Kirk’s take is direct: 

"The payment card industry standards are an important requirement, and especially if you've got multiple brands or websites, trying to do that manually would be impossible. The value is significant — it gives you the discovery and the logs of what you've approved and reviewed. The AI justifications are really time-saving as well: it sees what the script's doing, knows what it is, and if it's seen it before, you can utilize that to make the review process quite straightforward."