MyDeal's Data Breach Exposing 2.2M Customers Just Went From Bad To Worse

mydeal data breach 2 2m customers news
On October 10, less than a month after Australia was hit by its largest ever data breach, the Australian online retail store MyDeal was struck by a data breach. According to Woolworths Group, which recently acquired the online retailer, an unknown actor used a set of compromised employee credentials to access MyDeal’s Customer Relationship Management (CRM) system. Once inside the system, the threat actor stole personal information belonging to 2.2 million customers and listed it for sale on an online criminal marketplace. Then, early this morning, the actor updated this listing to indicate that information has been sold.

Neither MyDeal nor Woolworths Group has offered an explanation for how the threat actor came into possession of the credentials that enabled the data breach. Furthermore, neither company makes clear whether the threat actor directly accessed the CRM system or first gained unauthorized access to MyDeal’s wider internal network. The threat actor shared a map of MyDeal’s network infrastructure, as well as screenshots that appear to show unauthorized access to the company’s Amazon Web Services (AWS) portal, Confluence workspace platform, and Zendesk customer support system. The threat actor also claimed to have stolen source code from MyDeal’s Bitbucket repositories.

This information would seem to indicate that the threat actor accessed not just MyDeal’s CRM system, but also its wider network. Fortunately, while Woolworths Group completed its acquisition of MyDeal just last month, the two company’s networks operate on separate platforms, so the breach remained isolated to MyDeal’s network.

breach forums post listing stolen data for sale news
Breach Forums post listing the stolen data for sale

The actor claiming responsibility for the breach said he sent emails to at least a dozen MyDeal employees promising to delete the stolen data if the company handed over $20,000, but MyDeal and Woolworths Group have made no mention of this supposed offer. If the threat actor did attempt to extort MyDeal, the company evidently didn’t comply with the actor’s demand, as the stolen data appeared for public sale on Breach Forums. This listing included a price tag of just $600 and has since been updated with a tag marking the database as sold.

The seller has also indicated that there won’t be any more copies of the data sold. It’s possible that MyDeal or Woolworths Group hired an intermediary to buy back the stolen information without the seller’s knowledge, as T-Mobile once did. However, unless Woolworths Group or its subsidiary issues a statement claiming to have done so, MyDeal customers affected by the breach should assume that their information was sold to another cybercriminal and may be used to commit identity fraud or conduct phishing attacks.

According to Woolworths Group, 1.2 million of the 2.2 million affected customers had just their email addresses exposed in the data breach. The stolen information belonging to the remaining customers includes first and last names, email addresses, phone numbers, shipping and billing addresses, and dates of birth. MyDeal has notified all affected customers by email and stated that anyone who has not received such a notice by email was not affected.