Catch of the Day delays informing Privacy Commissioner of breach

Australian deals website Catch of the Day did not disclose a 2011 data breach to the Office of the Australian Privacy Commissioner until last month, despite knowing of the breach at the time it occurred.

As customers demand daily deals website Catch of the Day begin deleting their accounts, the Office of the Australian Privacy Commissioner has confirmed it was only informed about a 2011 data breach affecting the website last month, ahead of the company's public disclosure on Friday evening.

On Friday evening, as news was dominated by the deaths of close to 300 people on a Malaysian Airlines flight MH17, Catch of the Day quietly notified customers to change their password, revealing that it had been the victim of a data breach in May 2011, where credit card details, email addresses, delivery addresses, hashed passwords, and other customer information had been obtained.

The company, which owns the Catch of the Day, Scoopon, EatNow, GroceryRun, and Mumgo websites, said it worked with banks and the Australian Federal Police to cancel cards, but it appears that customers were not informed of the source of the issue at the time.

Catch Group now said it was informing the public three years later because "technological advances" meant that it may be now possible for the hashed passwords to be compromised.

Catch of the Day claimed in its statement to customers on Friday that since the breach that the Australian Privacy Commissioner was also informed.

ZDNet can confirm, however, that the Australian Privacy Commissioner, Timothy Pilgrim, was only informed last month. In a statement provided to ZDNet, Pilgrim said his office was only made aware of the incident in June.

"In June 2014, the Office of the Australian Information Commissioner was notified by Catch of the Day about a data breach that occurred in 2011. The OAIC was not informed about the incident at the time it occurred. The OAIC has asked Catch of the Day for further information about the incident," Pilgrim said.

Catch of the Day was not obligated to notify the Privacy Commissioner about the breach, but companies routinely inform the commissioner when a breach occurs. Pilgrim said in 2013-2014 there were 71 data breach notifications to his office, but said a number of incidents may still go unreported.

"People affected by data breaches that may have serious financial or other consequences are unable to take mitigating steps to protect their personal information if they are not appropriately notified," he said.

"Data breach notification can also be a positive for organisations as it can promote transparency and trust about how an organisation handles personal information."

The former Labor government attempted to bring about mandatory data breach notification laws before the September election, and has again tried to bring them on in opposition in the new parliament, but so far the legislation has failed to be passed through.

It comes as a number of customers have taken to Facebook and Twitter to ask the company to close their accounts following the three-year delay in informing the public of the breach.

In Catch of the Day's original statement, the company stated that "other online retailers" were also affected by the data breach. ZDNet has sought additional information from the Australian Federal Police, however one retailer, has already confirmed on its Facebook page that it was not a victim of the security breach.

Catch of the Day is still declining to answer questions on why it waited three years to inform customers. On its Facebook page, customers who have raised the question have been provided an apology without explanation. Multiple requests for comment from ZDNet to Catch of the Day have gone unanswered, with spokespeople for the company directing ZDNet back to the company's original media statement from Friday.

The date of the data breach incident aligns with the announcement in May 2011 that Catch of the Day had secured an AU$80 million investment from a consortium of investors including James Packer's Consolidated Press Holdings, and Seek co-founder Andrew Bassat.