Woolworths claims that the personal information of 2.2 million customers of a website it owns has been compromised.
Woolworths-owned MyDeal announced today that "a compromised user credential was used to gain unauthorised access to its Customer Relationship Management (CRM) system, resulting in the exposure of some customer data."
Woolworths said in a statement that it is in the process of contacting the estimated 2.2 million people affected by email.
The data accessed includes customer names, email addresses, phone numbers, delivery addresses, and, in some cases, the customer's date of birth for anyone who has had to prove their age when purchasing alcohol.
According to the company, only 1.2 million customers' email addresses were exposed.
"MyDeal does not store payment, driver's licence or passport details and no customer account passwords or payment details have been compromised in this breach," Woolworths said.
It stated that the Mydeal.com.au website and app were not affected. There has also been "no compromise of any other Woolworths Group platforms or the Woolworths Group customer or Everyday Rewards records".
MyDeal CEO Sean Senvirtne said, "We apologise for the considerable concern that this will cause our affected customers. We have acted quickly to identify and mitigate unauthorised access and have increased the monitoring of networks. We will continue to work with relevant authorities as we investigate the incident and we will keep our customers fully informed of any further updates impacting them.
Pieter van der Merwe, the chief security officer at Woolworths Group, stated that the company's "cyber security and privacy teams are fully engaged and working closely with MyDeal to support the response." Woolworths stated that customers who were not contacted had their information not accessed.
