MyDeal Data Breach 2022:
What You Need to Know
Approximately 2.2 million MyDeal customer records were exposed after an unauthorised party accessed the company's CRM system using a compromised credential. Here is what happened, what data was accessed, and steps you can take to protect yourself.
Your personal risk from this breach
Sign in or create a free account to see your personalised risk score.
What Happened
How the MyDeal Breach Unfolded
October 2022
An unauthorised party gained access to MyDeal's CRM system using a compromised user credential. The attacker was able to access customer data stored within the CRM platform.
October 2022
MyDeal detected the unauthorised access and immediately took steps to restrict access to the affected system. Woolworths Group was notified as MyDeal's parent company.
October 2022
MyDeal publicly disclosed the breach, confirming that approximately 2.2 million customers were affected. The company notified the OAIC and began contacting affected customers via email.
Late October 2022
MyDeal confirmed that the breach was limited to data held in the CRM system. No payment information, passwords, or government identity documents were involved. Woolworths confirmed its own customer systems were completely separate and unaffected.
Sources: ABC News (Oct 2022), ABC News (Oct 2022)
What Was Exposed
Personal Data Accessed in the Breach
The amount of data exposed varies between customers. The majority of affected customers had only their email addresses accessed. A smaller subset also had names, phone numbers, delivery addresses, and (in limited cases) dates of birth exposed.
| Data Type | Risk Level | Who Was Affected |
|---|---|---|
| Email address | Medium | Majority of approximately 2.2 million affected customers |
| Full name | Medium | Subset of affected customers |
| Phone number | Medium | Subset of affected customers |
| Delivery address | Medium | Subset of affected customers |
| Date of birth | Medium | Limited subset: only where provided for age verification purposes |
Risk levels based on the Australian Government's PSPF and OAIC Australian Privacy Principles. This breach is rated Medium as no identity documents or financial information were exposed.
Confirmed NOT Exposed
MyDeal confirmed that no payment details, credit card numbers, bank account information, passwords, driver licence numbers, passport numbers, or Medicare numbers were stored in the compromised CRM system. Woolworths' own systems were completely unaffected, as MyDeal operates on a separate network.
Company Response
What MyDeal Did
Actions Taken by MyDeal
- Immediately restricted access to the compromised CRM system
- Notified Woolworths Group, the OAIC, and relevant authorities
- Began contacting affected customers via email
- Engaged external cybersecurity specialists to investigate
- Implemented additional security controls on CRM and internal systems
- Confirmed Woolworths' own systems were on a separate network and unaffected
What Now?
Steps You Can Take After the MyDeal Breach
Since no passwords, identity documents, or financial data were exposed, the primary risk from this breach is targeted phishing and spam. The steps below are organised by category to help minimise that risk.
MyDeal and Shopping Accounts
Your MyDeal account details were exposed. Other shopping accounts may use the same email.
Update your MyDeal account password
~5 minReview other online shopping accounts
Email and Digital Identity
Your email is the key to your digital identity. Securing it is a sensible first step.
Strengthen email security
~5 minUnderstand your full account exposure
General Vigilance
No identity documents or payment details were exposed, so the primary risk is phishing and spam.
Be alert for phishing attempts
Note on credit bans
Monitoring and Reporting
Australian resources for breach response and identity protection.
Stay alert for targeted phishing
Not sure which of your accounts are affected?
In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.
Are You Still at Risk?
The Hidden Danger: Compound Breach Exposure
The MyDeal breach did not happen in isolation. While this breach on its own is relatively low-risk, the combination with other breaches (where identity documents were exposed) could elevate your overall risk significantly.
How breach data compounds
On its own, the MyDeal breach exposed emails, names, phone numbers, and delivery addresses. But if your email also appeared in the Optus or Medibank breaches, the combined data set may include identity documents, Medicare details, and health records. This kind of compound exposure significantly increases the risk of identity fraud, even when individual breaches appear lower-severity.
- Optus (2022)9.8M records - passport, licence, Medicare numbers
- Medibank (2022)9.7M records - health claims, Medicare details
- Latitude Financial (2023)14M records - driver's licence, passport numbers
- Qantas (2025)5.7M records - name, date of birth, phone, email
If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.
Frequently Asked Questions
MyDeal Breach FAQ
Other Major Australian Data Breaches
Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.
Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with MyDeal.com.au Pty Ltd or Woolworths Group Limited. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.