A notification has been sent by GoodGuys that a breach of their supplier, Pegasus Group Australia Pty Ltd, now known as My Rewards Pty Ltd, has been hacked and breached customer data. The customer data included names, addresses, phone numbers, encrypted passwords, email addresses and some DOBs.
The notification says the breach appears to have occurred in August 2021. Telstra reported the same or similar data breach in Oct 2022.
So the MyRewards data breach has impacted GoodGuys and Telstra and has potentially impacted more of their clients as follows:
- Australia Post
- Civil Contractors Federation
- MotorOne Group
- Victoria Chambers of Commerce and Industry
- Peter Page Holden
- Wyndham Asia Pacific
Vertex has decades of experience protecting (existing Vertex clients) and responding to Cyber Incidents (for new Vertex clients), so if we read between the lines, apply some patterns and make some assumptions what can we imagine might have happened?
First check is to see that MyRewards is recently ASX listed which provided $5million in investment. MyRewards has 14 employees listed on LinkedIn. They have a Risk Management framework that is reviewed annually so they would have identified and discussed Cyber Security as a Risk. They have internal PHP (Hypertext Preprocessor) developers and have outsourced development to 121 Outsource (prior to Aug 2020):
So the likely scenarios as to how the hackers gained access to the data is through:
- Insecure backups (which explains the old dates).
- AWS using insecure credentials.
- The database using a SQLi (SQL Injection) vulnerability in 2021.
- Another vulnerable server/service connected or related to the database.
Based on the fact that PHP (which encourages poor Cyber Security coding practices) is being used and a mix of external and internal developers are being used it is more likely it was a SQLi vulnerability within the PHP website. Considering it appears to have happened in 2021, then it is likely the hackers demanded a ransom, which should have highlighted this vulnerability to MyRewards and hopefully they would have fixed it immediately. If they did know in 2021 then they would have had a responsibility in 2021 to report the data breach. This could indicate regulatory fines and potential litigation might follow.
On this assumption, this could have been avoided with a WAF (web application firewall), secure code training, code frameworks, code reviews and a quality Penetration Test that could have detected the SQLi vulnerability before the hackers. Vertex Cyber Security provides and/or helps many tech businesses implement these and more Cyber Security protections.
As an example Vertex finds critical vulnerabilities like this SQLi more than 60% of the time we perform our Penetration Tests and this includes times when we have performed the Penetration Test after one of our competitors.
MyRewards have paused trading and provided the Databreach MyRewards ASX announcement in which they have said “The Company’s technology platforms are regularly penetration tested by independent certified cyber security companies as well as by our clients. All My Rewards data is stored in Australia.“
Is this an admission that it was an SQLi or are they trying to shift the blame?
Was this vulnerability caused by internal developers and/or the outsourced developers?
Did MyRewards’ clients like GoodGuys and Telstra review the Cyber Security of MyRewards appropriately before signing?
Are there indications that MyRewards should be doing more for their Cyber Security?
Are these questions useful or are the employees at MyRewards and their client companies having a horrible time and just looking for some help?
Until MyRewards provide further information we could be wrong as we have just used public information on the internet, have no inside information and haven’t provided any services including Penetration Testing services to MyRewards.