Catch of the Day waits 3 years to reveal data breach

Australian daily deals website Catch of the Day announced a three-year-old data breach compromising credit cards and passwords to its customers on Friday evening.

Australian daily deals website Catch of the Day has revealed its website was hacked in early 2011, compromising passwords and credit cards.

Image: Screenshot by Josh Taylor/ZDNet

The company — which owns the Catch of the Day, Scoopon, EatNow, GroceryRun, and MumGo websites — informed customers late on Friday that people who joined the site prior to May 7, 2011 should change their passwords as a result.

"In early 2011, Catch of the Day and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected," the notice to customers stated.

"At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators.

"We have also since informed the Australian Privacy Commissioner."

The company said it was notifying customers to change passwords today because "technological advances" means there was an increased risk of the hashed passwords being compromised.

In a statement provided to ZDNet tonight, the company's group general manager Jason Rudy said that the company's security practices had improved since 2011.

"Our website security and technology is continually evolving and has undergone continual upgrades to keep in line with industry standards and best practices," he said.

"We unreservedly apologise to our customers for this incident. We take data security seriously and have taken strong measures to protect their personal information. We have committed significant resources both internally, with a large dedicated team and externally via expert consultants to ensure we meet industry standards."

Rudy's statement was provided in response to questions regarding why the company waited three years to inform the public of the data breach. Representatives for the company had not responded to a further request for comment at the time of writing.

Wine website Vinomofo, which was bought and sold by Catch of the Day between 2012 and 2013, said on Twitter it was unaffected by the breach.