Australia retailer's customer data compromised in third-party breach

The Good Guys' customer data, including phone numbers and email addresses, have been compromised in a third-party breach that industry observers say is yet another reminder for businesses to scrutinise their suppliers' security practices.
Written by Eileen Yu, Senior Contributing Editor

Data belonging to customers of The Good Guys have been compromised in a security breach involving the Australian retailer's former third-party supplier, My Rewards. 

Formerly known as Pegasus Group Australia, My Rewards also confirmed the breach in a statement Thursday, revealing that preliminary investigations pointed to an "unauthorised access" to its systems in August 2021, which led to the data compromise. 

This meant that personally identifiable information, including names, email addresses, and phone numbers, likely had been made publicly available, the company said, noting that all its data were stored in Australia.

My Rewards added that its IT systems currently had not suffered any breach and would work with the relevant authorities. including the Australian Federal Police, regarding the breach. 

In its own statement Thursday, The Good Guys said it was notified of the breach this month and that its own IT systems were not involved. 

It previously worked with My Rewards to provide reward services for its Concierge members, some of whom would have set up My Rewards account that required a password. And while optional, customers' dates of birth also might have been provided. 

Compromised data did not include financial or identity document details, such as credit card, driver's licence, or passport information. 

The Good Guys said affected customers would be contacted about the breach. It added that My Rewards accounted linked to its Concierge benefits programme were closed and the former third-party vendor no longer held any personal data of its members. 

"The Good Guys is extremely disappointed that My Rewards, a former services provider, has experienced this breach and we apologise for any concern that this may cause," the Australian retailer said. 

Commenting on the breach, BlueVoyant's Asia-Pacific Japan vice president Sumit Bansal noted that the incident as well as last year's Medibank breach involved third-party vendors, serving as a reminder for businesses to scrutinise their suppliers and other third parties involved in their supply chain. 

"These companies are far from the only ones to be negatively impacted by a breach related to a third party, and most likely will not be the last," Bansal said. 

Citing the security vendor's recent study, he noted that 97% of Asia-Pacific organisations had been negatively impacted by a breach in their supply chain. Almost 40% said they would not know if a third party had security vulnerabilities. 

The finding revealed a challenge with monitoring such risks, he said. "Digital supply chains are made of vendors, suppliers, and other third parties with network access. As organisations' own internal cybersecurity becomes stronger, a third party may have weaker security," he added. "To help prevent breaches, organisations should first make sure they know which third parties they use or have used in the past, and what data and network access they may have."

"Organisations should only provide employees and third-parties with access to the data needed for their role. This helps to control what data can be accessed in the event of a breach. They should also put policies in place to prevent third parties from retaining data after their services are no longer used."

Australia-based Jacuqeline Jayne, who is KnowBe4's Asia-Pacific security awareness advocate, further noted that the compromised data could be used to facilitate social engineering attacks, even if personal financial information were not leaked. 

The data could be manipulated to create phishing email messages that looked legitimate and be used to redirect payments or collect more sensitive information from targeted victims, Jayne said. 

"Because many victims will assume an email or text message containing legitimate information about previous orders would be trustworthy, it can make it much easier for a social engineering attack to be successful," she said. "Victims of this [The Good Guys] data loss should be very cautious when it comes to future communications and they should pay close attention to any links in messages or requests for more information."

The Australian government in November passed a legislation to increase financial penalties for data privacy violators, pushing up maximum fines for serious or repeated breaches to AU$50 million ($32.34 million), from its current AU$2.22 million, or three times the value of any benefit obtained through the data misuse, or 30% of the company's adjusted turnover in the relevant period, whichever is greater. 


Editorial standards