Woolworths says the data of 2.2 million customers of a website it owns has been exposed.
MyDeal, which is majority owned by Woolworths, today “identified that a compromised user credential was used to gain unauthorised access to its Customer Relationship Management (CRM) system resulting in the exposure of some customer data”.
The company is in the process of contacting the estimated 2.2 million impacted people by email, Woolworths said in a statement.
The data that has been accessed includes customer names, email addresses, phone numbers, delivery addresses, and in some instances, the date of birth of the customer for anyone who has had to prove their age when buying alcohol.
For 1.2 million customers, only their email addresses were exposed, the company said.
“MyDeal does not store payment, drivers licence or passport details and no customer account passwords or payment details have been compromised in this breach,” Woolworths said.
It said the Mydeal.com.au website and app had not been impacted.
There has also been “no compromise of any other Woolworths Group platforms or the Woolworths Group customer or Everyday Rewards records”.
“We apologise for the considerable concern that this will cause our affected customers,” MyDeal CEO Sean Senvirtne said.
“We have acted quickly to identify and mitigate unauthorised access and have increased the monitoring of networks.
“We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them.”
Woolworths Group chief security officer Pieter van der Merwe said the company’s “cyber security and privacy teams are fully engaged and working closely with MyDeal to support the response”.
Customers who are not contacted have not had their details accessed, Woolworths said.
The major data breach comes just weeks after 9.8 million Optus customers had their data hacked.
An estimated 2.1 million of those customers had personal identification details stolen, including 150,000 passport and 50,000 Medicare numbers.
The government watchdog has since launched an investigation into the company’s handling of the cyberattack.
Telstra also experienced a “small breach”, while Medibank also reported detecting unusual activity but said they haven’t been hacked.
Source: 9News