This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

The Good Guys

Summary

The Good Guys contacted 1.85 million past and present members of its Concierge loyalty programme in February 2023 after learning that their data may have been compromised in a breach of a former third-party supplier. The IT systems of Pegasus Group Australia (now known as My Rewards) were improperly accessed by an unauthorised user in August 2021, though The Good Guys only became aware of the breach in February 2023—approximately 18 months after the incident occurred. The compromised data included names, addresses, phone numbers, and email addresses, but no identity documents or financial information.

What Happened

In August 2021, the IT systems of Pegasus Group Australia (which later became My Rewards), a former third-party supplier to The Good Guys, were improperly accessed by an unauthorised user. My Rewards provided member benefits for The Good Guys' Concierge loyalty programme and held contact details of programme members.

The Good Guys only became aware of this breach in February 2023—approximately 18 months after the incident occurred. The significant delay between the breach occurring and The Good Guys being notified meant that affected customers' information was potentially in the hands of unauthorised parties for an extended period before they were informed.

The Good Guys confirmed that its own IT systems were not involved in this incident, and the breach was limited to the third-party supplier's systems.

Impact on Individuals

The breach affected 1.85 million past and present members of The Good Guys' Concierge loyalty programme:

  • 325,000 members who had set up a My Rewards account
  • An additional 1.5 million members who may have had their details impacted

The compromised data held by My Rewards included:

  • Names
  • Addresses
  • Phone numbers
  • Email addresses

Importantly, no personal identity documents (such as driver's licences or passports) or financial information (such as credit card data) was involved in the breach. This limits the potential for immediate financial fraud, though the contact information could be used for phishing campaigns, identity correlation, or sold to other parties.

The 18-month delay in notification is particularly concerning, as affected individuals were unable to take protective measures such as being alert for phishing attempts or monitoring for misuse of their information during this extended period.

Organisational Response

The Good Guys notified all potentially affected Concierge loyalty programme members after becoming aware of the breach in February 2023. The company confirmed it no longer uses My Rewards to provide member benefits and that My Rewards accounts linked to Concierge member benefits have been closed.

Critically, The Good Guys stated that My Rewards no longer holds any personal information of Concierge members, reducing the risk of future exposure through that vendor. The company advised affected members to be vigilant for suspicious communications that might use their personal details.

The incident highlights the challenges organisations face in managing third-party vendor relationships and the importance of ensuring vendors promptly disclose breaches that may affect an organisation's customers.

Verification Source: View original statement