Australian Website Waits Three Years To Inform Customers of Data Breach

← Back to Stories (view on slashdot.org)

Australian Website Waits Three Years To Inform Customers of Data Breach

Posted by Unknown on Friday July 18, 2014 @06:02PM from the better-never-than-late dept.

AlbanX (2847805) writes Australian daily deals website Catch of the Day waited three years to tell its customers their email addresses, delivery addresses, hashed passwords, and some credit card details had been stolen. Its systems were breached in April 2011 and the company told police, banks and credit cards issuers, but didn't tell the Privacy Commissioner or customers until July 18th.

35 comments

Min score:

Reason:

Sort:

Wasn't the ruler of that company... by Anonymous Coward · 2014-07-18 18:08 · Score: -1

found to be one of those xians? This is typical of their kind.
lawsuit? by Todd+Palin · 2014-07-18 18:10 · Score: 2

This sounds like a perfect lawsuit to me. Their failure to limit the damage seems negligent. Perhaps a hefty class action suit is in order.
1. Re:lawsuit? by Anonymous Coward · 2014-07-18 20:58 · Score: 0
  
  This sounds like a perfect lawsuit to me.
  Except this is in Australia.
  
  Their failure to limit the damage seems negligent. Perhaps a hefty class action suit is in order.
  Mental anquish about something you didnt even know doesn't seem plausible. So let's see what else...
  A few years later and there is still no 'damage'...
  Again, this isn't America, you can't sue because your grumpy.
2. Re:lawsuit? by penix1 · 2014-07-18 21:35 · Score: 4, Insightful
  
  A few years later and there is still no 'damage'...
  Nobody knows that. It isn't like the stolen data has a meta tag stating "this stolen data brought to you by Catch of the Day". People could have had their credit ruined because of this breach and never have connected it to the source because of Catch of the Day's security by obscurity.
  Any company that uses this tactic of reputation management deserves to lose ALL its customers because they can't be trusted to operate in a responsible way with your data.
  
  --
  This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
3. Re:lawsuit? by Anonymous Coward · 2014-07-18 22:54 · Score: 0
  
  Except police banks and card issuers were all told.
4. Re:lawsuit? by Anonymous Coward · 2014-07-18 22:58 · Score: 0
  
  This sounds like a perfect lawsuit to me. Their failure to limit the damage seems negligent. Perhaps a hefty class action suit is in order.
  Well, for starters, one would have to find damage to define in the first place. And I'm suuuuuuure citizens will be completely honest when approached by a lawyer with the tasty reward of a cash settlement.
  Of course, they'll finally realize 7 years from now when the class-action hits the courtroom that the legal team ended up with millions, while the average citizen got a fart to the face and a coupon for 20% off Catch of the Day.
  This sounds like the perfect American answer to me. Sue the fuckers. It's like an automated response these days.
  Enjoy your insurance plans. All 482 of them, which will be mandatory for you to carry, and a felony if you don't, brought to you by the unending desire to sue the shit out of anything that breathes on you wrong.
5. Re:lawsuit? by Anonymous Coward · 2014-07-19 02:28 · Score: 0
  
  Yeah, sure, like everyone else: We all want to be victims and get some MONEY!
  All that happened here was, (A) they reported it to the appropriate authorities (actual authorities, not some lobby group that seeks out people to sue), and (B) Didn't tell the public about it because they tried to cover it up and had to likely because someone blackmailed them.
6. Re:lawsuit? by penix1 · 2014-07-19 04:18 · Score: 1
  
  But purposely didn't tell the most important party in the chain.... The customer that may have been affected! As I stated above, it isn't like the thieves put a metatag on the stolen data saying "this stolen data brought to you by Catch of the Day". So identity theft resulting from this breech wouldn't be connected to them assuming the thieves even get caught.. And by then it is too late.
  Customers deserve a right to be informed IMMEDIATELY of breeches in security that may have an effect on them to alert them to watch for suspicious activity or afford them the opportunity to cancel the card before it racks up the outrageous charges.
  
  --
  This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
7. Re:lawsuit? by Anonymous Coward · 2014-07-19 08:34 · Score: 0
  
  > Customers deserve a right to be informed IMMEDIATELY
  Again, this is not America.
8. Re:lawsuit? by doccus · 2014-07-20 04:31 · Score: 1
  
  Except police banks and card issuers were all told.
  And the credit card issuers didn't tell their customers?
It Worked by Anonymous Coward · 2014-07-18 18:15 · Score: 0

No one noticed which means it was the correct plan and course of action to follow. Thank you for your patience and understanding.
1. Re:It Worked by penix1 · 2014-07-18 21:52 · Score: 2
  
  No one noticed which means it was the correct plan and course of action to follow.
  No one noticed because they didn't know it was Catch of the Day that was the source of their stolen data that may have ruined their credit. And when their customers leave in droves because of this breech of trust, does that sound like a good business decision?
  
  Thank you for your patience and understanding.
  You may have patience and understanding with this kind of corporate malfeasance but I don't. I now know to stay leagues away from this company and to inform everyone I know about their nonchalance attitude towards data security and customer notifications of breeches.
  
  --
  This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
2. Re:It Worked by Anonymous Coward · 2014-07-19 12:38 · Score: 0
  
  Yup, and I feel exactly the same way. The CEO has also been interviewed by the IT wire and others asking why it took so long and they don't answer the question!
  Since they didn't address the length of time taken to inform customers or future policies regarding notify customers in the future, I've requested that my account be deleted.
July 18th 2014 (obviously) by Mr0bvious · 2014-07-18 18:21 · Score: 1

While implied in the subject, the body of the article failed to clarify that we were not told until July 18th 2014.

--
Never happened. True story.
1. Re:July 18th 2014 (obviously) by Anonymous Coward · 2014-07-18 22:10 · Score: 0
  
  Well, MrObvious ...since the headline says 3 years, I believe most of us are capable of that trivial fucking bit of arithmetic.
2. Re:July 18th 2014 (obviously) by Mr0bvious · 2014-07-18 22:25 · Score: 1
  
  Well, Mr Anonymous Coward ...sorry I insulted your intelligence.
  Though, I'm now stuck here struggling to determine who's post was more pointless, yours or mine.
  But whinging aside, why leave the reader to do any arithmetic, it's just simpler to state it regardless how obvious/trivial it may be.
  
  I believe most of us are capable of that trivial fucking bit of arithmetic.
  Though, given some replies I've seen here on /. over the years, I'm not convinced.
  
  --
  Never happened. True story.
Online == Stolen by Irate+Engineer · 2014-07-18 18:23 · Score: 0

Pretty much anything entered online == stolen.
Amirite?
Aw yeah, I'm right.
Ha ha, CAPTCHA is "redesign"

--
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
1. Re:Online == Stolen by viperidaenz · 2014-07-18 19:04 · Score: 2
  
  Ha ha, CAPTCHA isn't shown when you're logged in?
2. Re:Online == Stolen by jones_supa · 2014-07-18 22:32 · Score: 1
  
  :D
just five minutes to the stage, todd! by Anonymous Coward · 2014-07-18 18:42 · Score: -1

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.
And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.
Slashdice beta rawks! How can I see to more of these intriguing pop over ads?????????
Subscribe me to the newsletter post haste!!!!!
why bother now? by Trepidity · 2014-07-18 18:45 · Score: 1

At this point they'd probably end up with fewer problems just by keeping it quiet forever.

--
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Similar to by meerling · 2014-07-18 18:55 · Score: 1

It's kind of like telling someone that their Great Great Grandfather died and expecting them to congratulate them on their promptness.
Idiots by Anonymous Coward · 2014-07-18 19:17 · Score: 0

Fucking idiots.
I am so glad I never gave them any credit card details despite purchasing quite a few things from them.
Complete fucking idiots.
They've lost me as a customer forever.
Total complete fucking retarded idiots.
1. Re:Idiots by Anonymous Coward · 2014-07-18 20:50 · Score: 0
  
  I read this in an Australian accent. It was worth it.
  Also, I believe firmly in capital punishment for corporate offences (only). This would be a deserving example.
FUCK by Anonymous Coward · 2014-07-18 21:17 · Score: 0

I'm a catch of the day user, I've been getting spam to my email account associated with my catch account for the last few years.
At least now I know why...
Scorecard by Kris_J · 2014-07-18 21:25 · Score: 1
- Email: aliased. One point for me.
- Password: not the same as any other site. Another point for me.
- Credit card: nope, use PayPal. Doesn't feel like a point for anyone.
- Address: moved since April 2011. Three points for me, total. Three and a half, maybe.
Back to Pixel Miner.
1. Re:Scorecard by Anonymous Coward · 2014-07-18 23:25 · Score: -1
  
  ... point for me...
  Buying crap on catchoftheday in the first place. 1000 points off.
Because by Anonymous Coward · 2014-07-18 22:49 · Score: 0

Whose going to be pissed off about something that happened three years ago? Right?
How great by Anonymous Coward · 2014-07-18 23:04 · Score: 0

That I wait much less to post first.
Bloody Wonderful! by Gumbercules!! · 2014-07-19 00:14 · Score: 1

I've used that site, too...

Not only did they take eternity to fess up but I found out about it via Slashdot - not from them. I have the same email address as 3 years ago, so I don't see why they couldn't have sent me an email??
1. Re:Bloody Wonderful! by Anonymous Coward · 2014-07-19 12:43 · Score: 0
  
  I received an email. Only those that signed up before May 2011 got the email.
  Although I won't be surprised if they stuffed that up too.
Q&A with CotD support person ... by davidmwilliams · 2014-07-19 00:29 · Score: 4, Informative

Here is my story on this event, including (page 2) a "Q&A" I managed to get from them where they avoided most of my questions: http://www.itwire.com/business...
No big harm by jones_supa · 2014-07-19 00:43 · Score: 1

They won't suffer much harm business-wise, as this issue will mostly be forgotten over the weekend.
Users thought it was fishy in 2012 by davidmwilliams · 2014-07-19 00:53 · Score: 4, Informative

Catch of the day users noticed something was fishy back in February 2012. "We take data security seriously" said Catch of the Day rep. Yet CotD continued to choose not to tell anyone: http://www.itwire.com/business...
password on other sites by Anonymous Coward · 2014-07-20 15:11 · Score: 0

The whole point of telling customers is so they change the passwords they use on OTHER websites, that is the same as the one that is hashed