Catch of the Day Breach takes three years to report

Catch of the Day claims to be Australia's number one online department store. And a look at their prices and range makes it clear that they have a reasonable claim on that crown. They have received extensive media coverage on commercial news and current affairs shows. According to data from Hitwise, Australia's number one shopping site with 14.73% of all retail traffic from Australia. The only retail website with higher traffic was

But like many other large retailers, they have been the victim of hackers.
Incredibly, in an email to all their customers sent last Friday at 5:28PM (according to the mail header on the message we received), they admitted that they knew of the breach in May 2011. That's a full 38 months and some days from when the breach affected systems security.

Compare that with two recent, wide scale breaches -Target and eBay.

In the case of Target, the time between the breach of their Point of sale systems and going public was four days (reference: Timeline of Target's Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer).

With eBay, the elapsed time between report of the breach and customers being formally informed was a few days. And they were widely panned for the slowness of their reaction and their poor communication.

A look at the Catch of the Day website tells us nothing about the breach. There is no message on their website. The last entry in their blog refers to an online competition from April 2014.

The email they sent to customers, with the subject "Important Notice" doesn’t tell users about the breach until the fourth paragraph - and that's after a bunch of general advice about how it's a good idea to use unique passwords for each site you visit and how changing your password regularly is prudent.
We requested an interview a representative from Catch of the Day but were issued a statement. It told us "An illegal cyber attack in early 2011 saw hashed (encrypted) passwords and user information taken from’s database. Only those members who joined prior to May 7, 2011 were affected. A limited portion of these customers also had credit card data stolen".

Other sites in the Catch of the Day network, including Mumgo, Vino Mofo and Grocery Run were unaffected.

The statement also noted that Catch of the Day acted swiftly at the time to shut down the attack and inform authorities.

However, we were left with several other questions. Why was the breach made public now? Was the disclosure to the Privacy Commissioner in response to changes in the recent Privacy Act? Were the perpetrators ever caught? Will a message be posted on the Catch of the Day website?
We asked a spokesperson from Catch of the Day about these matters. We were told that there would be a media statement and that "we are not commenting any further".

It remains to be seen whether the disclosure of the breach has any effect on Catch of the Day's business. But companies that come out of the other side of security attacks successfully typically communicate promptly and clearly with their customers and show publicly that the cause of the breach has been addressed.

Our advice - if you're a Catch of the Day customer change your password. Although they say that the attack only affected accounts created before May 2011, we'd suggest changing passwords is a relatively straightforward safeguard to take.

We'd also advocate removing credit card data from all your online shopping accounts and either using gift cards or separate payment services that require different validation so that a breach at a shopping site doesn’t expose financial data.

This article is brought to you by Enex TestLab, content directors for CSO Australia

__________________________________________________________________________________ Hear from International keynote: Richard Thieme, Fran Trentley former CIO of the White House, Australia Post, Telstra, Serco Australia, CERT Australia, NBN Co, Atlassian and many more...

Earn upto 7 CPE credits for the day.Register today and receive your free book "mind games" signed by author on the day


Tags breachebayamazonTargethackedCatch of the Daycybertheft

Show Comments