Another day, another data breach and this time it’s Woolworths, via its subsidiary MyDeal.
Woolworths Group on Friday confirmed that 2.2 million customer records had been accessed after a compromised credential was used to trawl the MyDeal system.
MyDeal, if you’re unfamiliar, is an online retail marketplace that provides customers with “quality products from a curated selection of trusted retailers”. It has been a publicly listed company on the ASX since October 2020, but, Woolworths Group completed the acquisition of approximately 80 per cent of MyDeal on 23 September 2022.
MyDeal customer data which has been accessed in the data breach includes customer names, email addresses, phone numbers and delivery addresses. In some cases, where customers provided their age to purchase alcohol, their date of birth has been leaked, too. While 2.2 million customer records are caught up in the incident, MyDeal said for 1.2 million customers, only their email addresses were exposed.
Woolworths said MyDeal does not store payment, driver’s licence or passport details and said no customer account passwords or payment details have been compromised.
It also said it’s just the CRM system, meaning the Mydeal.com.au website and app have not been impacted. Nor have any of Woolworths’ own systems, including Everyday Rewards.
“We apologise for the considerable concern that this will cause our affected customers,” MyDeal CEO Sean Senvirtne said.
“We have acted quickly to identify and mitigate unauthorised access and have increased the monitoring of networks. We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them.”
MyDeal is in the process of contacting the affected customers by email. In clear messaging (looking at you, Optus), MyDeal customers who are not contacted by MyDeal have not had their details accessed in the breach.
Woolies’ cyber experts are helping MyDeal, but the group is also working with relevant regulatory authorities and government agencies.
If it feels like déjà vu, that’s because it’s been a wild few weeks in the data breach space. At the end of September, Optus revealed it had fallen victim to a data breach and just last week, Medibank announced suffering a ‘cyber incident’.