Deals website Catch of the Day has told some of its customers their passwords and credit card details were stolen, three years after the data breach took place.
Owned by Australian e-commerce giant The Catch Group, Catch of the Day wrote to its customers advising them of the breach late last week.
What will the election mean to you?
Sign up to our free newsletter, including this weekend’s coverage of the election.
Catch of the Day said the site had been targeted by an illegal cyberattack on May 7 2011, which saw hashed (encrypted) passwords and user information such as names, addresses and email details taken from Catchoftheday.com.au’s database. Some credit card information was also stolen.
Three years later, the website is now advising customers to change passwords because “technological advances” meant there was an increased risk of the stolen passwords becoming compromised.
“As technology advances, there is a risk that those hashed passwords become compromised and Catch of the Day decided in light of these developments to proactively inform customers,” the company said in a statement.
Catch of the Day said it acted swiftly at the time to shut down the attack and reported it to the Australian Federal Police, banks and credit card companies, which took action to protect consumers, such as cancelling affected cards.
Users who had not changed their password since May 2011 were advised to do so, while those who had changed their passwords since the breach occurred were told they didn’t need to take any action.
“Our website security and technology is continually evolving and has undergone continual upgrades to keep in line with industry standards and best practices,” said Catch Group executive general manager Jason Rudy in the statement.
“We unreservedly apologise to our customers for this incident. We take data security seriously and have taken strong measures to protect their personal information.”
The company said it had committed significant resources via a large dedicated internal team and expert consultants to ensure it met industry standards.
iTWire is reporting Catch of the Day could have disclosed the vulnerability back in February 2012 when customers complained on the online forum Whirlpool about being spammed, but chose not to act.
Although Australian companies have some of the lowest levels of data breaches in the world, the average total cost of a data breach is thought to be around $3.75 million.
AVG security advisor Michael McKinnon told SmartCompany the letter to customers suggests Catch of the Day has concern over the stolen passwords, such as the possibility plain text versions may be able to be decoded.
This would mean any user who has the same password for different accounts could potentially experience further breaches.
McKinnon says Catch of the Day was likely warned by their legal team not to admit to the breach at the time of the incident. He says most legal teams will advise businesses not to say anything in the event of a breach.
“Actually admitting it when you don’t have to opens up legal liability,” says McKinnon.
However, McKinnon says there is a reputational impact to consider if a business doesn’t disclose a breach which later comes out. He says at end of day, there will be tension between the legal impacts and the PR consequences of disclosing a breach.
“This is a dilemma for all business, given the fact we don’t have mandatory disclosure laws,” says McKinnon.
In terms of the stolen credit card information, McKinnon says the merchant is not obliged to declare a breach. Rather, the banks take on that role.
“The banks would have cancelled the credit cards and contacted the customers to say we believe your card has been compromised,” he says.
He says the customer would never have known where the data breach came from.
McKinnon says Catch of the Day may have also faced pressure from law enforcement agents not to disclose the breach at the time, on the basis that they were currently investigating it.
“I would question, why has it come out now?”
He says in similar cases he’d seen, there was motivation to disclose a breach after the fact when it had become apparent databases were being traded.
“This might be a case of ‘stay tuned’,” he says.
This article first appeared on SmartCompany.