In a statement issued on Friday, Woolworths said 2.2 million customers were affected, adding that it had begun to contact regulatory authorities and government agencies.
The MyDeal site is hosted by Amazon in the US, according to Internet services company Netcraft, and appears to use ASP.NET, technology sold by Microsoft.
Optus & Woolworths have been hacked. Government health records were hacked.— Alexandra Marshall (@ellymelly) October 15, 2022
This is being used as an excuse to spend billions on Digital ID & biometric security.
Yet the only system in the world a hacker can't get into is an old-fashioned filing cabinet filled with paper.
As per Microsoft's own site, "ASP.NET is a free, cross-platform, open source framework for building Web apps and services with .NET and C#."
Is the facial recognition data of that @Woolworths covertly extracts from customers and stores for commercial and “investigation” purposes part of this new data breach? https://t.co/YVie2lbByc pic.twitter.com/yNbNUdOLkm— Sally Rugg (@sallyrugg) October 14, 2022
Woolworths completed its acquisition of about 80% of MyDeal.com.au on 23 September. "There has been no compromise of any other Woolworths Group platforms or the Woolworths Group customer or Everyday Rewards records," the statement added.
The statement said data that had been accessed included customer names, email addresses, phone numbers, delivery addresses, and, in some cases, the date of birth of customers.
Of the affected customers, 1.2 million had only their email addresses exposed.
Woolworths said the data was accessed within the CRM system and the MyDeal Web site and app were not affected.
"MyDeal does not store payment, drivers licence or passport details and no customer account passwords or payment details have been compromised in this breach," the statement said.
MyDeal founder and chief executive Sean Senvirtne said: “We apologise for the considerable concern that this will cause our affected customers. We have acted quickly to identify and mitigate unauthorised access and have increased the monitoring of networks.
"We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them.”
Woolworths Group chief security officer Pieter van der Merwe added: “Woolworths Group’s cyber security and privacy teams are fully engaged and working closely with MyDeal to support the response."
This is the sixth data breach of Australian companies announced in less than a month. Optus announced on 22 September that its systems had been breached, followed by Telstra, G4S, Costa Group, Dialog and Medibank Group.