Woolworths has reported a data breach impacting 2.2 million users of its MyDeal subsidiary.
The company said in a stock exchange filing that a compromised user credential was used to gain unauthorised access to MyDeal’s customer relationship management system.
The company is now contacting impacted users by email.
“Woolworths Group’s cyber security and privacy teams are fully engaged and working closely with MyDeal to support the response,” said Woolworths Group chief security officer, Pieter van der Merwe.
Compromised data includes customer names, email addresses, phone numbers, delivery addresses, and in some instances, customers’ date of birth, which was required for people who have purchased alcohol on the MyDeal site. For 1.2 million customers, only email addresses were accessed.
Woolworths said it does not store payment details, driver’s licence or passport details and no customer account passwords or payment details have been compromised.
Woolworths Group owns 80 per cent of MyDeal, an online marketplace. The subsidiary’s data and CRM system is operated on a separate platform from Woolworths Group and there has been “no compromise” of any other Woolworths Group platforms, Woolworths Group customer records, or Everyday Rewards membership details.
The company said it has “commenced engagement with relevant regulatory authorities and government agencies”.
Customers who are not contacted by MyDeal can be assured their data has not been accessed.
“We apologise for the considerable concern that this will cause our affected customers,” said MyDeal CEO, Sean Senvirtne. “We have acted quickly to identify and mitigate unauthorised access and have increased the monitoring of networks. We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them.”
The MyDeal breach comes just weeks after a serious breach of Optus customer records affecting 9 million Australians.
With regard to that event, the Office of the Australian Information Commissioner is investigating whether the Singapore Telecommunications Ltd-owned company took reasonable steps to protect customer data and comply with privacy laws and the Australian Communications and Media Authority (ACMA) said it was investigating whether Optus met its industry obligations as a telecommunications provider in terms of the keeping and disposing of personal data.
