Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian Website Waits Three Years To Inform Customers of Data Breach

Posted by Unknown on from the better-never-than-late dept.

AlbanX (2847805) writes Australian daily deals website Catch of the Day waited three years to tell its customers their email addresses, delivery addresses, hashed passwords, and some credit card details had been stolen. Its systems were breached in April 2011 and the company told police, banks and credit cards issuers, but didn't tell the Privacy Commissioner or customers until July 18th.

16 of 35 comments (clear)

  1. lawsuit? by Todd+Palin · · Score: 2

    This sounds like a perfect lawsuit to me. Their failure to limit the damage seems negligent. Perhaps a hefty class action suit is in order.

    1. Re:lawsuit? by penix1 · · Score: 4, Insightful

      A few years later and there is still no 'damage'...

      Nobody knows that. It isn't like the stolen data has a meta tag stating "this stolen data brought to you by Catch of the Day". People could have had their credit ruined because of this breach and never have connected it to the source because of Catch of the Day's security by obscurity.

      Any company that uses this tactic of reputation management deserves to lose ALL its customers because they can't be trusted to operate in a responsible way with your data.

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
    2. Re:lawsuit? by penix1 · · Score: 1

      But purposely didn't tell the most important party in the chain.... The customer that may have been affected! As I stated above, it isn't like the thieves put a metatag on the stolen data saying "this stolen data brought to you by Catch of the Day". So identity theft resulting from this breech wouldn't be connected to them assuming the thieves even get caught.. And by then it is too late.

      Customers deserve a right to be informed IMMEDIATELY of breeches in security that may have an effect on them to alert them to watch for suspicious activity or afford them the opportunity to cancel the card before it racks up the outrageous charges.

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
    3. Re:lawsuit? by doccus · · Score: 1

      Except police banks and card issuers were all told.

      And the credit card issuers didn't tell their customers?

  2. July 18th 2014 (obviously) by Mr0bvious · · Score: 1

    While implied in the subject, the body of the article failed to clarify that we were not told until July 18th 2014.

    --
    Never happened. True story.
    1. Re:July 18th 2014 (obviously) by Mr0bvious · · Score: 1

      Well, Mr Anonymous Coward ...sorry I insulted your intelligence.

      Though, I'm now stuck here struggling to determine who's post was more pointless, yours or mine.

      But whinging aside, why leave the reader to do any arithmetic, it's just simpler to state it regardless how obvious/trivial it may be.

      I believe most of us are capable of that trivial fucking bit of arithmetic.

      Though, given some replies I've seen here on /. over the years, I'm not convinced.

      --
      Never happened. True story.
  3. why bother now? by Trepidity · · Score: 1

    At this point they'd probably end up with fewer problems just by keeping it quiet forever.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  4. Similar to by meerling · · Score: 1

    It's kind of like telling someone that their Great Great Grandfather died and expecting them to congratulate them on their promptness.

  5. Re:Online == Stolen by viperidaenz · · Score: 2

    Ha ha, CAPTCHA isn't shown when you're logged in?

  6. Scorecard by Kris_J · · Score: 1
    • Email: aliased. One point for me.
    • Password: not the same as any other site. Another point for me.
    • Credit card: nope, use PayPal. Doesn't feel like a point for anyone.
    • Address: moved since April 2011. Three points for me, total. Three and a half, maybe.

    Back to Pixel Miner.

  7. Re:It Worked by penix1 · · Score: 2

    No one noticed which means it was the correct plan and course of action to follow.

    No one noticed because they didn't know it was Catch of the Day that was the source of their stolen data that may have ruined their credit. And when their customers leave in droves because of this breech of trust, does that sound like a good business decision?

    Thank you for your patience and understanding.

    You may have patience and understanding with this kind of corporate malfeasance but I don't. I now know to stay leagues away from this company and to inform everyone I know about their nonchalance attitude towards data security and customer notifications of breeches.

    --
    This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
  8. Re:Online == Stolen by jones_supa · · Score: 1

    :D

  9. Bloody Wonderful! by Gumbercules!! · · Score: 1

    I've used that site, too...

    Not only did they take eternity to fess up but I found out about it via Slashdot - not from them. I have the same email address as 3 years ago, so I don't see why they couldn't have sent me an email??

  10. Q&A with CotD support person ... by davidmwilliams · · Score: 4, Informative

    Here is my story on this event, including (page 2) a "Q&A" I managed to get from them where they avoided most of my questions: http://www.itwire.com/business...

  11. No big harm by jones_supa · · Score: 1

    They won't suffer much harm business-wise, as this issue will mostly be forgotten over the weekend.

  12. Users thought it was fishy in 2012 by davidmwilliams · · Score: 4, Informative

    Catch of the day users noticed something was fishy back in February 2012. "We take data security seriously" said Catch of the Day rep. Yet CotD continued to choose not to tell anyone: http://www.itwire.com/business...