MyDeal Data Breach 2022:
What You Need to Know
Approximately 2.2 million MyDeal customer records were exposed after an unauthorised party accessed the company's CRM system using a compromised credential. Here is what happened, what data was accessed, and steps you can take to protect yourself.
Your personal risk from this breach
Sign in or create a free account to see your personalised risk score.
What Happened
How the MyDeal Breach Unfolded
October 2022
An unauthorised party gained access to MyDeal's CRM system using a compromised user credential. The attacker was able to access customer data stored within the CRM platform.
October 2022
MyDeal detected the unauthorised access and immediately took steps to restrict access to the affected system. Woolworths Group was notified as MyDeal's parent company.
October 2022
MyDeal publicly disclosed the breach, confirming that approximately 2.2 million customers were affected. The company notified the OAIC and began contacting affected customers via email.
Late October 2022
MyDeal confirmed that the breach was limited to data held in the CRM system. No payment information, passwords, or government identity documents were involved. Woolworths confirmed its own customer systems were completely separate and unaffected.
Sources: ABC News (Oct 2022), ABC News (Oct 2022)
What Was Exposed
Personal Data Accessed in the Breach
The amount of data exposed varies between customers. The majority of affected customers had only their email addresses accessed. A smaller subset also had names, phone numbers, delivery addresses, and (in limited cases) dates of birth exposed.
| Data Type | Risk Level | Who Was Affected |
|---|---|---|
| Email address | High | Majority of approximately 2.2 million affected customers |
| Full name | High | Subset of affected customers |
| Phone number | High | Subset of affected customers |
| Delivery address | High | Subset of affected customers |
| Date of birth | High | Limited subset: only where provided for age verification purposes |
Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Identity-linked data (name, date of birth, address, phone, email) is rated High because the combination is commonly used to verify identity at banks and telcos, and supports targeted phishing. No identity documents or financial data were exposed, so the breach's overall identity-theft potential is lower than Optus/Medibank-class incidents.
Confirmed NOT Exposed
MyDeal confirmed that no payment details, credit card numbers, bank account information, passwords, driver licence numbers, passport numbers, or Medicare numbers were stored in the compromised CRM system. Woolworths' own systems were completely unaffected, as MyDeal operates on a separate network.
Company Response
What MyDeal Did
Actions Taken by MyDeal
- Immediately restricted access to the compromised CRM system
- Notified Woolworths Group, the OAIC, and relevant authorities
- Began contacting affected customers via email
- Engaged external cybersecurity specialists to investigate
- Implemented additional security controls on CRM and internal systems
- Confirmed Woolworths' own systems were on a separate network and unaffected
What Now?
Steps You Can Take After the MyDeal Breach
Since no passwords, identity documents, or financial data were exposed, the primary risk from this breach is targeted phishing and spam. The steps below are organised by category to help minimise that risk.
MyDeal and Shopping Accounts
Your MyDeal account details were exposed. Other shopping accounts may use the same email.
Update your MyDeal account password
~5 minReview other online shopping accounts
Email and Digital Identity
Your email is the key to your digital identity. Securing it is a sensible first step.
Strengthen email security
~5 minUnderstand your full account exposure
General Vigilance
No identity documents or payment details were exposed, so the primary risk is phishing and spam.
Be alert for phishing attempts
Note on credit bans
Monitoring and Reporting
Australian resources for breach response and identity protection.
Stay alert for targeted phishing
Not sure which of your accounts are affected?
In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.
Are You Still at Risk?
The Hidden Danger: Compound Breach Exposure
The MyDeal breach did not happen in isolation. While this breach on its own is relatively low-risk, the combination with other breaches (where identity documents were exposed) could elevate your overall risk significantly.
How breach data compounds
On its own, the MyDeal breach exposed emails, names, phone numbers, and delivery addresses. But if your email also appeared in the Optus or Medibank breaches, the combined data set may include identity documents, Medicare details, and health records. This kind of compound exposure significantly increases the risk of identity fraud, even when individual breaches appear lower-severity.
- Optus (2022)9.8M records - passport, licence, Medicare numbers
- Medibank (2022)9.7M records - health claims, Medicare details
- Latitude Financial (2023)14M records - driver's licence, passport numbers
- Qantas (2025)5.7M records - name, date of birth, phone, email
If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.
Frequently Asked Questions
MyDeal Breach FAQ
Other Major Australian Data Breaches
Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.
NYC Health + Hospitals Data Breach 2026
~1.8M records exposed
Australian Courts Data Breach 2026
Thousands of files records exposed
youX Data Breach 2026
~444K records exposed
Prosura Data Breach 2026
300K-500K records exposed
Canvas (Instructure) Data Breach 2026
~275M (claimed) records exposed
Booking.com Data Breach 2026
Undisclosed records exposed
McGraw Hill Data Breach 2026
13.5M records exposed
Crunchyroll Data Breach 2026
Undisclosed records exposed
Eurail Data Breach 2026
300K+ records exposed
Basic-Fit Data Breach 2026
1M records exposed
Under Armour Data Breach 2025
72M records exposed
Salesforce (ShinyHunters) Data Breach 2025
~1B records exposed
Allianz Life Data Breach 2025
2.8M records exposed
Workday Data Breach 2025
Undisclosed records exposed
Western Sydney University Data Breach 2025
10K records exposed
Genea Fertility Data Breach 2025
940K records exposed
DeepSeek Data Breach 2025
1M records exposed
Tangerine Telecom Data Breach 2024
232K records exposed
Australian Clinical Labs Data Breach 2022
223K records exposed
Qantas Data Breach 2025
5.7M records exposed
Optus Data Breach 2022
9.8M records exposed
Medibank Data Breach 2022
9.7M records exposed
Latitude Financial Data Breach 2023
14M records exposed
Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with MyDeal.com.au Pty Ltd or Woolworths Group Limited. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.