Australian electronics retailer The Good Guys has suffered a data breach, involving the personal information of customers, due to a security incident involving former third-party supplier My Rewards.
The supplier confirmed the breach, stating that preliminary investigations indicated “unauthorised access” to its systems in August 2021, leading to a compromise of customers’ personally identifiable information (PII), such as names, email addresses, and phone numbers. It confirmed that all data was stored in Australia and that its IT systems had not been breached.
The Good Guys said that its IT systems were not involved and that My Rewards had previously provided reward services for its Concierge members. Customers with My Rewards accounts would have been required to create a password and provide their date of birth.
The compromised data did not include financial or identity document details, such as credit card, driver’s licence, or passport information. The Good Guys said it will contact affected customers and that My Rewards accounts linked to its Concierge benefits programme had been closed, with the third-party vendor no longer holding any personal data of its members.
The breach highlights the importance of scrutinising third-party suppliers in business supply chains, said Sumit Bansal, BlueVoyant’s Asia-Pacific Japan vice president. The incident, alongside last year’s Medibank breach, served as a reminder for businesses to monitor suppliers and other third parties in their supply chains, he added.
A recent study by BlueVoyant found that 97% of Asia-Pacific organisations had been negatively impacted by a breach in their supply chain, with almost 40% saying they would not know if a third party had security vulnerabilities.
Bansal called on organisations to ensure they know which third parties they use, what data and network access they may have, and to only provide them with data needed for their role, and to put policies in place to prevent third parties from retaining data after their services are no longer used.
The Good Guys apologised for the breach, with the company saying it was “extremely disappointed” that My Rewards had experienced a data breach. The incident highlights the importance of businesses conducting thorough due diligence and monitoring of third-party suppliers in their supply chain to minimise risks of data breaches.
This includes reviewing the data access provided to third parties and putting in place policies that govern data retention and destruction. It also highlights the importance of having data breach response plans in place to respond quickly to incidents and minimise the impact on customers.