The Woolworths’ MyDeal subsidiary revealed a breach affecting 2.2 million customers, with a hacker trying to sell the stolen data online.
According to MyDeal, it suffered a breach last Friday when a hacker obtained access to its Customer Relationship Management (CRM) system with compromised credentials.
What information was exposed?
This data breach affected 2.2 million customers, exposing names, email addresses, phone numbers, delivery addresses, and in some cases, birth dates.
For 1.2 million customers, only their email addresses were exposed, the company said.
“MyDeal does not store payment, drivers licence or passport details, and no customer account passwords or payment details have been compromised in this breach,” the company said.
MyDeal stolen data offered for sale
An online hacking forum started selling stolen data for $600 on Sunday after the MyDeal breach.
According to the hacker, the current database contains 1 million entries, but the number of exposed customers will increase as they analyse it.
The threat actor claimed that they captured screenshots of the company’s AWS account and Confluence server as evidence of their attack.
The hackers also released samples of the stolen data, exposing the personal information of 286 alleged MyDeal customers, according to BleepingComputer.
Woolworths Group platform and Everyday Rewards unaffected
Both the Mydeal.com.au network and its CRM system operate on separate platforms to Woolworths.
Woolworths said “there has been no compromise of any other Woolworths Group platforms or the Woolworths Group customer or Everyday Rewards records.”
MyDeal CEO, Sean Senvirtne, said the company has “increased the monitoring of networks.”
“We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them.”
Customers who are not contacted have not had their details accessed, Woolworths said.