My Rewards

My Rewards operated as a third-party rewards service provider, delivering customer loyalty program management for at least one major Australian retailer. Its core function involved administering member accounts and reward structures, handling personal customer data such as names, email addresses, phone numbers, and optionally dates of birth. The organisation's market presence was tied to its contractual role within a retail supply chain, serving as an external vendor rather than a direct-to-consumer brand. No explicit details regarding its overall size, client portfolio beyond the identified retailer, or geographic reach beyond Australia are provided in the available information. Its operational model centred on processing and retaining participant information for the duration of its service agreements.

The organisation's profile is significantly defined by a security incident disclosed in August 2021, where unauthorised third-party access compromised the personal data it held. This breach occurred while My Rewards was a former service provider for the retailer, highlighting critical issues in data retention and supply chain security after contract termination. The incident underscored vulnerabilities in monitoring third-party data practices and the persistent risks of retained information. The affected retailer confirmed its own systems remained secure and that all linked customer accounts had been closed, with My Rewards no longer holding member data at the time of disclosure. The exposed information, while not including financial or identity documents, presented a tangible risk for social engineering and phishing attacks, as attackers could leverage legitimate personal details. This event illustrates the potential long-term liabilities associated with third-party data stewardship and the importance of rigorous data disposal protocols upon service conclusion.