Cyber Incident Victim: MyDeal
Date:
Oct 2022
Location:
Australia
Summary
A MyDeal data breach exposed information of 2.2 million customers after a threat actor leveraged compromised credentials to infiltrate the company’s CRM system. Stolen data included names, email addresses, phone numbers, delivery addresses, and some birthdates, with 1.2 million impacted individuals having only email addresses exposed; no payment details, passwords, or government IDs were compromised. The attacker advertised the data for sale on a hacking forum, initially claiming one million records while promising more after parsing, and shared samples alongside screenshots purportedly showing internal systems like Confluence and AWS access points. The parent company Woolworths confirmed its separate platforms remained unaffected, and breach notifications were dispatched to verified impacted customers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 17, 2022, Woolworths' subsidiary MyDeal disclosed a data breach impacting 2.2 million customers after unauthorized access to its Customer Relationship Management (CRM) system. The incident occurred when a threat actor utilized compromised user credentials to infiltrate the system, enabling the export of customer data. Exposed information included names, email addresses, phone numbers, and delivery addresses, with birthdates compromised in some cases. Approximately 1.2 million affected customers had only their email addresses exposed. MyDeal confirmed no payment details, government-issued identification documents, or account passwords were accessed. The breach notification process commenced immediately, with the company advising that only customers receiving direct communications were impacted. Woolworths clarified its systems remained unaffected due to operational separation following its September 2022 acquisition of 80% of MyDeal.
The threat actor attempted to monetize the stolen data by listing it for sale at $600 on a hacker forum on October 16, 2022, claiming the initial dataset contained one million records with more to follow after parsing completion. As proof of compromise, the attacker published screenshots of MyDeal's internal Confluence server and an AWS single-sign-on authentication prompt. On October 17, the actor released a sample containing personal details of 286 MyDeal customers. Despite MyDeal's assurance regarding password security, the public exposure of contact information and physical addresses raised concerns about targeted phishing campaigns and identity theft risks. The company maintained direct communication with verified affected users while forensic investigations continued to determine the full scope of credential compromise leading to the CRM breach.