Catch of the Day waits 3 years to reveal data breach

Catch of the Day waits 3 years to reveal data breach

Summary: Australian daily deals website Catch of the Day announced a three-year-old data breach compromising credit cards and passwords to its customers on Friday evening.


Australian daily deals website Catch of the Day has revealed its website was hacked in early 2011, compromising passwords and credit cards.

(Image: Screenshot by Josh Taylor/ZDNet)

The company — which owns the Catch of the Day, Scoopon, EatNow, GroceryRun, and MumGo websites — informed customers late on Friday that people who joined the site prior to May 7, 2011 should change their passwords as a result.

"In early 2011, Catch of the Day and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected," the notice to customers stated.

"At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators.

"We have also since informed the Australian Privacy Commissioner."

The company said it was notifying customers to change passwords today because "technological advances" means there was an increased risk of the hashed passwords being compromised.

In a statement provided to ZDNet tonight, the company's group general manager Jason Rudy said that the company's security practices had improved since 2011.

"Our website security and technology is continually evolving and has undergone continual upgrades to keep in line with industry standards and best practices," he said.

"We unreservedly apologise to our customers for this incident. We take data security seriously and have taken strong measures to protect their personal information. We have committed significant resources both internally, with a large dedicated team and externally via expert consultants to ensure we meet industry standards."

Rudy's statement was provided in response to questions regarding why the company waited three years to inform the public of the data breach. Representatives for the company had not responded to a further request for comment at the time of writing.

Wine website Vinomofo, which was bought and sold by Catch of the Day between 2012 and 2013, said on Twitter it was unaffected by the breach. 

Topics: Security, Privacy, Australia


Armed with a degree in Computer Science and a Masters in Journalism, Josh keeps a close eye on the telecommunications industry, the National Broadband Network, and all the goings on in government IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Color me skeptical... the believability factor of their position is low

    I'd think a full accounting by the Australian authorities is in order and some serious smackdown (fines and free customer financial/protection services) should result. This kind of behavior is just unacceptable regardless of how innocent they try to appear.
  • Are you kidding? Three years ago?

    Is this some kind of record for delayed notification?
  • The question is: why now?

    As privacy lawyer and information recurity and data governance consultant I have the feeling of being loosing something in this story. Why now?

    A procedure in case of suffering a data breach is something any comany managing personal data should have implemented. Usually these procedures have clear action points about taking measures such as communicate the breach to banks, authorities AND customers.

    I sincerely would like to understand why they are communicating this three years late to customers. First idea it is just reputation yet at the end of the dat transparency and honestity is more relevant for users.
    • No plans ...

      "A procedure in case of suffering a data breach is something any comany managing personal data should have implemented."

      I'm guessing that they had no plan in place.