M

MyDeal Data Breach 2022:
What You Need to Know

Approximately 2.2 million MyDeal customer records were exposed after an unauthorised party accessed the company's CRM system using a compromised credential. Here is what happened, what data was accessed, and steps you can take to protect yourself.

Breach date:October 2022
Records affected:~2.2 million
Risk level:Medium

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the MyDeal Breach Unfolded

10 October 2022

An unauthorised party gained access to MyDeal's CRM system using a compromised user credential. The attacker was able to access customer data stored within the CRM platform.

14 October 2022

MyDeal publicly disclosed the breach, confirming that approximately 2.2 million customers were affected. The company notified the OAIC under the Notifiable Data Breaches scheme and began contacting affected customers via email. Woolworths Group was notified as MyDeal's parent company.

16 October 2022

The stolen MyDeal dataset was listed for sale on a criminal hacking forum for US$600, with the seller posting sample records as proof. This shifted the dataset from a stolen-only state to active commercial circulation.

Late October 2022

MyDeal confirmed that the breach was limited to data held in the CRM system. No payment information, passwords, or government identity documents were involved. Woolworths confirmed its own customer systems (including Everyday Rewards) were completely separate and unaffected.

Sources: ABC News (Oct 2022), ABC News (Oct 2022)

What Was Exposed

Personal Data Accessed in the Breach

The amount of data exposed varies between customers. The majority of affected customers had only their email addresses accessed. A smaller subset also had names, phone numbers, delivery addresses, and (in limited cases) dates of birth exposed.

Data TypeRisk LevelWho Was Affected
Email addressHighApproximately 1.2 million customers had only their email address exposed; the remaining ~1 million also had additional fields
Full nameHighApproximately 1 million customers (subset of the 2.2M total)
Phone numberHighApproximately 1 million customers (subset of the 2.2M total)
Delivery addressHighApproximately 1 million customers (subset of the 2.2M total)
Date of birthHighLimited subset: only customers who had previously needed to prove their age when purchasing alcohol

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Identity-linked data (name, date of birth, address, phone, email) is rated High because the combination is commonly used to verify identity at banks and telcos, and supports targeted phishing. No identity documents or financial data were exposed, so the breach's overall identity-theft potential is lower than Optus/Medibank-class incidents.

Confirmed NOT Exposed

MyDeal confirmed that no payment details, credit card numbers, bank account information, passwords, driver licence numbers, passport numbers, or Medicare numbers were stored in the compromised CRM system. Woolworths' own systems were completely unaffected, as MyDeal operates on a separate network.

Company Response

What MyDeal Did

Actions Taken by MyDeal

  • Immediately restricted access to the compromised CRM system
  • Notified Woolworths Group, the OAIC, and relevant authorities
  • Began contacting affected customers via email
  • Engaged external cybersecurity specialists to investigate
  • Implemented additional security controls on CRM and internal systems
  • Confirmed Woolworths' own systems were on a separate network and unaffected

What Now?

Steps You Can Take After the MyDeal Breach

Since no passwords, identity documents, or financial data were exposed, the primary risk from this breach is targeted phishing and spam. The steps below are organised by category to help minimise that risk.

MyDeal and Shopping Accounts

Your MyDeal account details were exposed. Other shopping accounts may use the same email.

Update your MyDeal account password

~5 min
It is generally considered best practice to update the password on any MyDeal account associated with the exposed email address. Enabling MFA where available adds a significant layer of protection.

Review other online shopping accounts

Where the same email address or password has been used across multiple online shopping accounts, consider updating credentials on those accounts as well. Credential reuse remains one of the most common ways a single breach leads to broader exposure.

Email and Digital Identity

Your email is the key to your digital identity. Securing it is a sensible first step.

Strengthen email security

~5 min
Updating the password and enabling MFA on email accounts associated with the breach is widely recommended. It is also worth checking email forwarding rules and connected app permissions, as these can be exploited to silently intercept communications.

Understand your full account exposure

Most people have dozens of online accounts linked to a single email address. When that email is exposed in a breach, understanding which services are connected is a critical first step in assessing personal risk. Tools that map your digital footprint can help identify accounts that may need attention.

General Vigilance

No identity documents or payment details were exposed, so the primary risk is phishing and spam.

Be alert for phishing attempts

Since no identity documents or financial information were exposed in this breach, the main risk is targeted phishing and spam. Scammers may use exposed email and name details to craft convincing messages. Treat any unsolicited contact referencing MyDeal or Woolworths orders with caution.

Note on credit bans

A credit ban is generally not necessary for this breach, as no identity documents (such as driver licence, passport, or Medicare numbers) were exposed. For those who were also affected by breaches where identity documents were leaked (such as Optus or Medibank), placing a credit ban may still be worth considering.

Monitoring and Reporting

Australian resources for breach response and identity protection.

Stay alert for targeted phishing

Scammers may reference MyDeal or Woolworths orders to make phishing messages appear legitimate. Any email, SMS, or call asking for personal details or payment information and claiming to be from MyDeal or Woolworths is worth verifying independently through official channels.

Contact IDCare or report to Scamwatch

IDCare (1800 595 160) is Australia's national identity and cyber support service and provides free, tailored guidance for people affected by data breaches. Reporting to Scamwatch contributes to broader awareness and helps authorities track emerging threats.

Not sure which of your accounts are affected?

In The Event Of helps you find the accounts linked to your email and shows your breach exposure, so you can work through a clear, prioritised plan after an incident.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

The MyDeal breach did not happen in isolation. While this breach on its own is relatively low-risk, the combination with other breaches (where identity documents were exposed) could elevate your overall risk significantly.

How breach data compounds

On its own, the MyDeal breach exposed emails, names, phone numbers, and delivery addresses. But if your email also appeared in the Optus or Medibank breaches, the combined data set may include identity documents, Medicare details, and health records. This kind of compound exposure significantly increases the risk of identity fraud, even when individual breaches appear lower-severity.

  • Optus (2022)9.8M records - passport, licence, Medicare numbers
  • Medibank (2022)9.7M records - health claims, Medicare details
  • Latitude Financial (2023)14M records - driver's licence, passport numbers
  • Qantas (2025)5.7M records - name, date of birth, phone, email

If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

MyDeal Breach FAQ

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

ACMI Data Breach 2026

~25,000 records exposed

High

Melbourne Film Festival Data Breach 2026

~26,782 records exposed

High

UWA Callista Student System Data Breach 2026

Undisclosed records exposed

Medium

University of Sydney Data Breach 2025

~27K records exposed

High

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

Booking.com Data Breach 2026

Undisclosed records exposed

High

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Salesforce (ShinyHunters) Data Breach 2025

~1B records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Workday Data Breach 2025

Undisclosed records exposed

Medium

Western Sydney University Data Breach 2025

10K records exposed

High

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Australian Clinical Labs Data Breach 2022

223K records exposed

Critical

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

Guides to read next

In The Event Of is an Australian digital footprint manager that helps you find the accounts linked to your email, see your breach exposure, and work through a prioritised action plan. These guides walk through the steps:

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with MyDeal.com.au Pty Ltd or Woolworths Group Limited. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.