The massively popular (and occasionally crashing) deals website, Catch Of The Day, has told its customers yesterday that they should change their passwords right now, after confirming they suffered a massive data breach. And while they confirmed that user information, encrypted passwords and a small number of credit card numbers were stolen – that is not the big issue at the moment.
No, the big issue is that Catch Of The Day told its customers three years after the breach occurred. Yes, you read that correctly. It took them three years to reveal to customers that their personal information may have been stolen by attackers.
“An illegal cyber attack in early 2011 saw hashed (encrypted) passwords and user information taken from Catchoftheday.com.au’s database. Only those members who joined prior to May 7, 2011 were affected. A limited portion of these customers also had credit card data stolen. Other sites in our Group were not affected,” the company said in a statement.
According to the company, they decided that they decided to tell its customers now was because that there was a risk that the salted passwords could be decrypted. Yes, because telling people now that their passwords were stolen – not a couple of days after finding out that you suffered a massive data breach – shows that you take “data security seriously.”
To their credit, they did say that they reported the breach to the Australian Federal Police, banks and credit card companies – who took additional steps to protect customers, such as cancelling cards.
However, all of that does not excuse the fact that Catch Of The Day did not tell their customers that their data may have been compromised. Those passwords, if they were decrypted before today’s announcement, were likely to give the attackers access to their bank or email accounts because many people reuse the same passwords.
And they did not give them the opportunity to change them until today.
There is only just one word to describe Catch Of The Day at the moment – fucktards.
Note: I have a Catch Of The Day account, and that was registered last year when they tried and get everyone to use Visa’s V.me payment system. In other words, I am not affected by the breach. However, it just infuriates me that some companies – like Catch Of The Day – have a serious disregard for security. So yeah, they do deserve the ‘fucktards’ label.