The personal information of 2.2 million people has been exposed after an online shopping site owned by retail giant Woolworths Group was breached.
A hacker used a compromised user credential to gain access to the information of customers of MyDeal, an online retail marketplace which Woolworths acquired an 80 per cent stake in last month.
The exposed data include the names, email addresses, phone numbers, delivery addresses and birthdates of those who validated their age to buy alcohol.
A cyber actor used the user credential to gain access to MyDeal’s Customer Relationship Management system, providing access to the range of personal information of customers. All MyDeal users who have had their details impacted have now been contacted by the company.
Of the 2.2 million users involved, 1.2 million of them had just their email address exposed. MyDeal did not store sensitive details like payment information, passports or driver licences, and no passwords were compromised, the company said.
“We are writing to inform you of unauthorised activity on one of our systems that has led to some of your account details being accessed,” the MyDeal email sent to impacted users said.
“We are extremely apologetic that this has occurred and that your data has been accessed. We want to assure you that we are working around the clock to resolve this incident.”
MyDeal chief executive Sean Senvirtne apologised for the data breach and said it had been discovered on the same day it occurred.
“We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them,” Senvirtne said in a statement.
The company is now working with cyber security experts and has also engaged the relevant authorities and government departments, and notified the Office of the Australian Information Commissioner.
MyDeal is an ecommerce platform featuring a curated set of retailers. Woolworths acquired 80 percent of MyDeal last month in a deal believed to be worth $218 million.
The cyber security and data protection of Australian companies has been in the spotlight recently following the massive Optus data breach, with the federal government now reviewing the country’s privacy laws with a view to increase protections by the end of the year.
Last month the personal details of 9.8 million Optus customers were exposed. These details included a range of identification documents, including passports, driver licences and Medicare card numbers.
The Office of the Australian Information Commissioner (OAIC) and ACMA are now investigating the breach, with the potential of a fine of up to $2.2 million for each contravention of the privacy principles.
And just this week it was revealed that Medibank, one of Australia’s largest private health insurance providers, identified suspicious network activity and took down access to customer systems in a ploy to isolate the incident and reduce the risk of data loss.
Medibank has said there is no evidence that any customer data has been removed from its network.
The federal government is now looking to reform the Privacy Act, with the potential of introducing harsher fines for companies subject to data breaches.
“Australians need to be assured that when their data is asked for and taken from them by a private company or by government that it will only be used for the purpose for which it has been collected,” Attorney-General Mark Dreyfus said following the Optus breach.
“We need to get in place something that encourages companies to dispose of data safely, to not keep data when they no longer have a purpose for it.”