Catch Of The Day reveals user data was stolen – three years after it occured

By on

Screen Shot 2014-07-19 at 3.29.22 pm

The massively popular (and occasionally crashing) deals website, Catch Of The Day, has told its customers yesterday that they should change their passwords right now, after confirming they suffered a massive data breach. And while they confirmed that user information, encrypted passwords and a small number of credit card numbers were stolen – that is not the big issue at the moment.

No, the big issue is that Catch Of The Day told its customers three years after the breach occurred. Yes, you read that correctly. It took them three years to reveal to customers that their personal information may have been stolen by attackers.

An illegal cyber attack in early 2011 saw hashed (encrypted) passwords and user information taken from Catchoftheday.com.au’s database. Only those members who joined prior to May 7, 2011 were affected. A limited portion of these customers also had credit card data stolen. Other sites in our Group were not affected,” the company said in a statement.

According to the company, they decided that they decided to tell its customers now was because that there was a risk that the salted passwords could be decrypted. Yes, because telling people now that their passwords were stolen – not a couple of days after finding out that you suffered a massive data breach – shows that you take “data security seriously.”

To their credit, they did say that they reported the breach to the Australian Federal Police, banks and credit card companies – who took additional steps to protect customers, such as cancelling cards.

However, all of that does not excuse the fact that Catch Of The Day did not tell their customers that their data may have been compromised. Those passwords, if they were decrypted before today’s announcement, were likely to give the attackers access to their bank or email accounts because many people reuse the same passwords.

And they did not give them the opportunity to change them until today.

There is only just one word to describe Catch Of The Day at the moment – fucktards.

Note: I have a Catch Of The Day account, and that was registered last year when they tried and get everyone to use Visa’s V.me payment system. In other words, I am not affected by the breach. However, it just infuriates me that some companies – like Catch Of The Day – have a serious disregard for security. So yeah, they do deserve the ‘fucktards’ label.

Join the Conversation

  • Joey

    This is fully in line with my expectations. Some folks are surprised by this 3 year delay. So I ask you, WHO is the ignorant one? The person who is surprised by this, or the person who not surprised because it is what they expected?

  • John

    This probably explains why my bank cancelled my card because of a suspicious offshore transaction. Thankfully they were alert. Also I use different passwords for all my accounts and online activity.

  • Jim

    To be honest, you should be changing your passwords every couple of months. If you are still using the same password from 2011, then you are partially to blame.

    • Aaron

      That is still no excuse to tell customers 3 years after the breach occured. I myself have been a COTD user since before 2011 and I do change my passwords regularly, but I am still using the same card now that I was since 2011.