Cyber Incident Victim: My Rewards
Date:
Aug 2021
Location:
Australia
Summary
A security breach at The Good Guys' former third-party rewards provider, My Rewards, resulted in unauthorized access to customer data including names, email addresses, phone numbers, and optional dates of birth. The retailer confirmed its own systems were unaffected and stated financial or identity documents were not compromised. Exposed personal information could facilitate social engineering attacks through phishing attempts leveraging legitimate-seeming order details. The incident underscores broader third-party supply chain risks, with the affected vendor no longer retaining customer data after service termination. This breach follows similar third-party compromises affecting Australian organizations, highlighting systemic challenges in monitoring vendor security postures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In August 2021, unauthorized access occurred to the systems of My Rewards (formerly Pegasus Group Australia), a former third-party supplier for Australian retailer The Good Guys. The breach compromised personal data of The Good Guys' Concierge loyalty program members who had created My Rewards accounts. My Rewards disclosed the incident in a statement on February 23, 2023, confirming that preliminary investigations identified the August 2021 intrusion as the source of data exposure. The compromised information included names, email addresses, phone numbers, and account passwords. While optional for customers to provide, dates of birth might also have been exposed. No financial information or identity documents—such as credit card numbers, driver's licenses, or passport details—were accessed. All affected data was stored within Australia. The Good Guys confirmed its own IT systems remained uncompromised and were not involved in the breach.
The Good Guys became aware of the incident in February 2023 when notified by My Rewards. The retailer immediately confirmed that all My Rewards accounts linked to its Concierge program had been closed prior to the breach disclosure and that the former supplier no longer retained any member data. Impacted customers were contacted directly, with The Good Guys publicly apologizing for concerns caused by its former provider's security failure. My Rewards stated its current IT systems showed no evidence of compromise and that it was cooperating with Australian Federal Police. Cybersecurity experts highlighted the breach as part of a broader pattern of third-party supply chain vulnerabilities in the Asia-Pacific region, noting that stolen personal information could facilitate targeted social engineering attacks despite the absence of financial data. The incident coincided with increased Australian regulatory scrutiny of data breaches, following recent legislative changes that substantially raised maximum penalties for serious privacy violations to AU$50 million or 30% of a company's adjusted turnover.