Skip to the content
  • Why Vertex
    • Expertise in Education
    • Your Trusted Partner
    • Humanitix Case Study
    • Give Back
    • Careers
  • Penetration Testing
  • ISO27001
  • Cyber Training
  • Solutions
    • Cyber Security Audit
    • Incident Response
    • Managed Services
  • News
  • Contact
  • Why Vertex
    • Expertise in Education
    • Your Trusted Partner
    • Humanitix Case Study
    • Give Back
    • Careers
  • Penetration Testing
  • ISO27001
  • Cyber Training
  • Solutions
    • Cyber Security Audit
    • Incident Response
    • Managed Services
  • News
  • Contact
LOG IN

MyRewards data breach is impacting GoodGuys, Telstra and potentially Australia Post, AIG, MLC, NAB and more…

A notification has been sent by GoodGuys that a breach of their supplier, Pegasus Group Australia Pty Ltd, now known as My Rewards Pty Ltd, has been hacked and breached customer data. The customer data included names, addresses, phone numbers, encrypted passwords, email addresses and some DOBs.

The notification says the breach appears to have occurred in August 2021. Telstra reported the same or similar data breach in Oct 2022.

So the MyRewards data breach has impacted GoodGuys and Telstra and has potentially impacted more of their clients as follows:

  • AIG
  • Dedalus
  • Australia Post
  • MLC
  • NAB
  • Civil Contractors Federation
  • Power2Motivate
  • Prezzee
  • Rexel
  • Ria
  • MotorOne Group
  • Victoria Chambers of Commerce and Industry
  • MyRepublic
  • MyIntegra
  • Peter Page Holden
  • Proslab
  • NatWest
  • WorkPac
  • AON
  • Wyndham Asia Pacific
Picture of MyRewards clients and suppliers

Vertex has decades of experience protecting (existing Vertex clients) and responding to Cyber Incidents (for new Vertex clients), so if we read between the lines, apply some patterns and make some assumptions what can we imagine might have happened?

First check is to see that MyRewards is recently ASX listed which provided $5million in investment. MyRewards has 14 employees listed on LinkedIn. They have a Risk Management framework that is reviewed annually so they would have identified and discussed Cyber Security as a Risk. They have internal PHP (Hypertext Preprocessor) developers and have outsourced development to 121 Outsource (prior to Aug 2020):

blank
https://121outsource.com/case_studies/my-rewards-case-study/

So the likely scenarios as to how the hackers gained access to the data is through:

  • Insecure backups (which explains the old dates).
  • AWS using insecure credentials.
  • The database using a SQLi (SQL Injection) vulnerability in 2021.
  • Another vulnerable server/service connected or related to the database.

Based on the fact that PHP (which encourages poor Cyber Security coding practices) is being used and a mix of external and internal developers are being used it is more likely it was a SQLi vulnerability within the PHP website. Considering it appears to have happened in 2021, then it is likely the hackers demanded a ransom, which should have highlighted this vulnerability to MyRewards and hopefully they would have fixed it immediately. If they did know in 2021 then they would have had a responsibility in 2021 to report the data breach. This could indicate regulatory fines and potential litigation might follow.

On this assumption, this could have been avoided with a WAF (web application firewall), secure code training, code frameworks, code reviews and a quality Penetration Test that could have detected the SQLi vulnerability before the hackers. Vertex Cyber Security provides and/or helps many tech businesses implement these and more Cyber Security protections.

As an example Vertex finds critical vulnerabilities like this SQLi more than 60% of the time we perform our Penetration Tests and this includes times when we have performed the Penetration Test after one of our competitors.

MyRewards have paused trading and provided the Databreach MyRewards ASX announcement in which they have said “The Company’s technology platforms are regularly penetration tested by independent certified cyber security companies as well as by our clients. All My Rewards data is stored in Australia.“

Is this an admission that it was an SQLi or are they trying to shift the blame?

Was this vulnerability caused by internal developers and/or the outsourced developers?

Did MyRewards’ clients like GoodGuys and Telstra review the Cyber Security of MyRewards appropriately before signing?

Are there indications that MyRewards should be doing more for their Cyber Security?

Are these questions useful or are the employees at MyRewards and their client companies having a horrible time and just looking for some help?

Hopefully time will tell, but in the meantime this is a good reminder to think about the Cyber Security of your business and contact the experts at Vertex Cyber Security to help.

Until MyRewards provide further information we could be wrong as we have just used public information on the internet, have no inside information and haven’t provided any services including Penetration Testing services to MyRewards.

CATEGORIES

Data Breach - Press

TAGS

data breach - data breach goodguys - data breach myrewards - data breach telstra

SHARE

PrevPreviousIs TLS1.3 better than TLS1.2?
NextRSA vs ECDSA in HTTPS Certificates. Which is Best?Next

Follow Us!

Facebook Twitter Linkedin Instagram
Cyber Security by Vertex, Sydney Australia

Your partner in Cyber Security.

Terms of Use | Privacy Policy

Accreditations & Certifications

blank
blank
blank
blank
blank
  • 1300 229 237
  • Suite 13.04 189 Kent Street Sydney NSW 2000 Australia
  • 121 King St, Melbourne VIC 3000
  • Lot Fourteen, North Terrace, Adelaide SA 5000
  • Level 2/315 Brunswick St, Fortitude Valley QLD 4006, Adelaide SA 5000

(c) 2025 Vertex Technologies Pty Ltd.

download (2)
download (4)

We acknowledge Aboriginal and Torres Strait Islander peoples as the traditional custodians of this land and pay our respects to their Ancestors and Elders, past, present and future. We acknowledge and respect the continuing culture of the Gadigal people of the Eora nation and their unique cultural and spiritual relationships to the land, waters and seas.

We acknowledge that sovereignty of this land was never ceded. Always was, always will be Aboriginal land.