​Catch of the Day rectifies data breach

Catch of the Day (COTD) implemented up to 20 recommendations made by the Office of the Australian Information Commission (OAIC) to improve its privacy governance arrangements, as well as processes around notifying customers of data breaches in the future.

Some of these recommendations included improving response to the incident such as notifying banks, credit card companies, and the police; commissioning a third party expert to investigate the issue; rebuilding the e-commerce platform that was the subject of the attack; and upgrading its infrastructure to ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS).

The commissioner expressed concern about the size of the breach, the possible compromise of financial information, and the significant delay between COTD becoming aware of the incident and notifying affected individuals.

The recommendations follow COTD -- the company which owns Catch of the Day, Scoopon, EatNow, GroceryRun, and MumGo websites -- completing an internal privacy compliance assessment.

The finalised OAIC enquiry into COTD was in light of a data breach notification it received in June 2014. COTD informed the Australian Privacy Commissioner of a data breach it experienced in 2011, which resulted in the compromise of personal information of COTD's Australian customer base, including credit card details, email addresses, delivery addresses, hashed passwords, and other customer information.

The company had also quietly notified customers to change their password three years after the initial breach. COTD at the time said it was informing the public three years late because "technological advances" meant there was an increased risk in the hashed passwords being compromised.

The company also informed customers it was working with banks and the Australian Federal Police to cancel cards. However, in a statement to ZDNet, the AFP denied hearing anything from the company at the time.

"AFP records do not show that any complaint was received in 2011 from the 'Catch of the Day' website," the spokesperson said.

COTD said since the compromise, the company has made "significant" investments in its online security.

"Catch of the Day is persistently developing with the ever-changing landscape of cyber security, and strives to continue to remain among the most secure places for Australians to shop online," it said.

COTD has been requested to provide the OAIC with a report about the implementations of the recommendations within three months.

The commissioner also finalised enquiries into Aussie Travel Cover (ATC), one of Australia's largest travel insurance companies, following a data breach notification received in December 2014.

Initial reports had revealed an unknown number of government websites were compromised by a hacker who reportedly exfiltrated more than 770,000 ATC records. However, based on the finalised enquiry, the OAIC said that the personal information of far fewer individuals was compromised in the attack than initially thought.

"The majority of the information extracted from ATC's systems as a result of the hack was corrupted during its extraction, and therefore was not accessible to the hacker in its original format," the commissioner concluded.

"133 insurance agents and four policyholders had their full ATC record extracted in an uncorrupted format as a result of the attack. ATC took steps to notify those individuals of the incident."

Some of the actions that ATC engaged in to rectify the breach included notifying affected individuals; decommissioning its old website; commissioning third party consultants to investigate the incident; and rolling out a new and secure website.

The OAIC commended both COTD and ATC for their response to each breach case, and said it does not intend to take any further actions, unless it receives more complaints from adversely affected people.

The OAIC is currently investigating Woolworths around why AU$1.3 million worth of e-gift cards were cancelled, and why consumers' personal information and card access details were mistakenly emailed out.