Digital Life

Catch of the Day caught out by hackers

Customers of popular online shopping website Catch of the Day are being urged to change their passwords after the company disclosed on Friday it had suffered a data breach.

The breach, which compromised names, home addresses, email addresses, "hashed" (encrypted) passwords, and in some cases credit card data, occurred in early May 2011, Catch Group, which runs the site, said.

Online retailer Catch of the Day suffered a data breach in 2011.
Online retailer Catch of the Day suffered a data breach in 2011. 

The company disclosed the breach in an email sent to users after 5pm on Friday – 38 months after the data was initially stolen.

The breach was the result of an "illegal cyber intrusion" that targeted Catch of the Day and "other online retailers and businesses" in early 2011, it said in the email.

Catch of the Day's email.
Catch of the Day's email. 

"We sincerely apologise to our loyal customers that these events occurred and can assure you that we have dedicated significant resources to security and privacy to avoid these events in future," the email said.

Catch Group said it immediately informed police, banks and credit card companies at the time of the breach.


It said they assisted it "in taking action to protect our users". The assistance included banks cancelling customers' credit cards and police "launching investigations into the perpetrators".

Why the company decided to wait until now to report the breach to its customers has stumped IT security experts and users. In its email, Catch Group said "technological advances" meant there was an "increasing risk" that its users' hashed passwords "may become compromised", which was why it was asking all Catch of the Day users with accounts created before May 7, 2011, to change their passwords and credentials on its website and also on other sites that used the same details.

OMG's message to users.
OMG's message to users. 

Calls to Catch Group director Gabby Leibovich went unanswered on Monday.

Federal privacy commissioner Timothy Pilgrim said in a statement that Catch Group reported the breach to his office in June.

"The [Office of the Australian Information Commissioner] was not informed about the incident at the time it occurred," the commissioner said. "The OAIC has asked Catch of the Day for further information about the incident."

Online retailer Kogan Technologies said it had not been affected.

"For the avoidance of doubt, we would like to assure all customers that we were not affected by the security breach impacting the daily deals website, and the first we heard of it was ... late on Friday," Kogan said in a statement on its Facebook page.

Chris Gatford, of security firm HackLabs, said the amount of time between the breach and notification to users was "unusual".

"As a customer of this site, you do have to wonder about what specifically went wrong and some more detail around that would've been more helpful," Mr Gatford said. "Nonetheless, at least they are advising their customers and that's certainly something that doesn't happen very frequently."

He said most breaches went unreported. Of about 100 cases he has reported to Australian companies in the five years HackLabs has existed, only about 5 per cent have been publicly disclosed.

When reporting an incident, Mr Gatford said he was often met with "defiance, anger and disbelief". It was only when talking to senior staff that companies would tend to take more notice.

In Australia, companies are not required to disclose data breaches to their users. A bill by the Labor Party to force disclosure was introduced in Parliament in May last year but it was never voted on in the Senate. Labor has since accused the Coalition of stalling the legislation in Parliament.

Mr Gatford said a mandatory data breach notification scheme would be beneficial not just for  consumers but also for business people, and he hoped it would make them start to think more seriously about security.

"The upside of [a mandatory data breach notification scheme] is an organisation does a better job [of securing its users' data]," he said.

In 2013–14, the federal privacy commissioner received 71 data breach notifications, a 16 per cent increase on the previous year. Despite the relatively small number, the privacy commisisoner warned that critical incidents may still be going unreported. "Consequently consumers may be unaware when their personal information could be compromised," he said.

Catch of the Day's disclosure of the breach came a day after search engine optimisation firm Online Marketing Group, owned by Fairfax Media, also reported a data breach.

In an email to its customers last Thursday, OMG said it had become aware that one of its servers had become compromised. The server contained personal information including customers' names, postal addresses, telephone numbers, email addresses and passwords.

"Our analysis suggests that while there was unauthorised use of the server, there is no evidence that your customer data has been copied or viewed. As a precautionary measure, we require all users (both active and non-active) to take immediate action," OMG managing director Simon Carson said. The action suggested by OMG was to change compromised passwords.