Millions of customers’ data has been exposed in a major breach at an online shopping site owned by retail giant Woolworths.
The company says a compromised user credential was used to get access to customer information from the MyDeal website.
On Friday, the Woolworths Group said MyDeal had begun contacting an estimated 2.2 million customers who were affected in the breach. All of those impacted had been contacted via email by Saturday.
The details exposed included customer names, email addresses, phone numbers and delivery addresses, as well as birth dates for people who had to verify their ages when buying alcohol.
In the case of 1.2 million customers, only their email addresses were exposed.
MyDeal didn’t store sensitive records like payment information, drivers licence or passport details and no passwords were compromised in the breach, the company said.
The Office of the Australian Information Commissioner confirmed on Saturday it had been notified of the MyDeal breach and it would engage with Woolworths to ensure the company complied with its obligations to notify customers.
In a statement, the privacy watchdog said affected individuals should be alert to scams or any unexpected activity on their accounts or devices.
Woolworths took an 80 per cent stake in MyDeal in September in a takeover worth more than $200 million.
The company said MyDeal’s systems operated on a different platform to the broader group and no Woolworths or Everyday Rewards customer details had been exposed in the breach.
MyDeal chief executive Sean Senvirtne apologised for the concern the breach would cause for affected customers.
“We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them,” he said.
The MyDeal data breach follows a massive hack at telco Optus in which the personal details of about 10 million customers were exposed.
That breach is subject to multiple investigations after the passport, licence and Medicare numbers of hundreds of thousands of Australians were compromised.
The government has vowed to review Australia’s privacy laws in the wake of the Optus hack and tighter protections could be introduced before the end of the year.
