Data breach sees Woolworths gift cards leaked in email bungle

A case of mistaken emailing has allegedly seen details of AU$1.3 million worth of Woolworths gift cards leaked online, opening access to customers' details, purchase history and shopping credit.

Claire Reilly Former Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
Expertise Space, Futurism, Science and Sci-Tech, Robotics, Tech Culture Credentials
  • Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Claire Reilly
2 min read


Woolworths has been forced to cancel more than AU$1.3 million worth of gift cards after a massive data breach saw card details leaked in an email to customers.

The breach saw the details of thousands of Woolworths 'e-gift cards' mistakenly emailed out to customers, with details on purchase history as well as digital access to redeem the cards and spend the balance online.

The e-gift cards are purchasable online and act as an alternative to plastic gift cards sold in Woolworths' chain of stores -- including Big W, Caltex petrol stations and Woolworths supermarkets. The digital vouchers allow customers to shop online by entering an e-gift Card number and PIN at the online checkout, rather than details of a credit or debit card.

Fairfax Media reported that the data for 7,941 online cards was allegedly leaked to customers in an Excel spreadsheet, mistakenly sent to more than 1,000 Woolworths customers who had purchased the e-gift cards through a deal on the group buying site GroupOn. The spreadsheet included the names and email addresses of thousands of customers along with a link to download the details of the store vouchers, totalling AU$1,308,505 in store credit.

While Woolworths normally sends customers a PDF document with redemption details once they have ordered an e-gift card, Fairfax reports that GroupOn customers instead received the excel spreadsheet, granting them to access to thousands more online vouchers.

While GroupOn was did not provide comment on the incident, CNET understands that the data breach occurred was caused by an issue at the Woolworths end of the chain.

For its part, Woolworths did not comment on the cause of the data breach or how many customers were affected, however a spokeswoman for the company provided the following statement:

Woolworths takes the concerns of its customers and data security seriously.

On Saturday we were alerted to a technical fault with an e-gift card offered to customers. These e-gift cards have been cancelled and affected customers have been provided with new e-gift cards for use in-store.

Woolworths apologises for the inconvenience this has caused our customers.

While GroupOn has run promotions on discounted Woolworths gift cards before, this appears to be the first time a data breach has impacted those buying through the site. Australia currently has no laws requiring companies to disclose data breaches affecting customers -- an issue that was thrown into stark relief after daily deals site Catch of the Day took three years to notify customers of a breach in their security.

Following this breach, Federal politicians stepped up calls to tighten disclosure laws, and the most recent news from Woolworths will no doubt bring the issue to the fore once more.