Cyber Incident Victim: My Rewards
Date:
Aug 2021
Location:
Australia
Summary
A third-party breach involving My Rewards, a former rewards service provider for an Australian retailer, compromised customer data including names, email addresses, phone numbers, and optionally provided dates of birth. The unauthorized access occurred in August 2021 but was disclosed later, with no financial or identity documents exposed. The affected retailer confirmed its own systems were not breached and stated that all linked accounts had been closed, with the third party no longer retaining member data. Compromised personal information raises risks of social engineering attacks, as attackers could leverage legitimate details for phishing attempts. The incident underscores supply chain vulnerabilities, highlighting challenges in monitoring third-party security practices and data retention policies after service termination.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2021, My Rewards—formerly known as Pegasus Group Australia—experienced unauthorized access to its systems, compromising personal data of customers associated with The Good Guys’ Concierge loyalty program. The breach was disclosed by My Rewards on February 23, 2023, following preliminary investigations that confirmed the incident. The compromised data included names, email addresses, phone numbers, and optionally provided dates of birth for affected customers. My Rewards confirmed all data was stored domestically in Australia and emphasized that no financial information or identity documents—such as credit card numbers, driver’s licenses, or passport details—were exposed. The Good Guys, an Australian retailer, clarified it was notified of the breach in February 2023 and confirmed its own IT systems were not compromised. The company stated it had previously partnered with My Rewards to administer reward services for Concierge members, some of whom created My Rewards accounts requiring passwords. Following the breach, The Good Guys severed ties with My Rewards, closed all linked accounts, and confirmed the third party no longer retained any personal data of its members.
The incident exposed customers to potential social engineering attacks, as cybercriminals could leverage stolen personal details to craft convincing phishing emails or messages impersonating legitimate entities. Security experts highlighted risks of payment diversion or further data extraction attempts targeting victims. My Rewards engaged Australian Federal Police and relevant authorities during its response, asserting no ongoing breach existed within its current IT infrastructure. The breach underscored broader supply chain vulnerabilities, with industry analysts noting that 97% of Asia-Pacific organizations faced negative impacts from third-party breaches. The Good Guys publicly apologized for the incident, initiated direct notifications to affected customers, and emphasized its disappointment in the former vendor’s security lapse. Concurrently, Australia’s increased data breach penalties—raising maximum fines to AU$50 million for serious violations—reflected heightened regulatory scrutiny following a series of high-profile incidents, including this breach and the 2022 Medibank attack.