Hey, Catch of the Day. Can I call you Catch? Look, I know we haven’t talked in a while. I haven’t opened your emails, dropped by to say hey or even looked at what you’re up to on social media. But what you did on Friday was probably the worst way to get my attention you could have thought of, and now we have a problem.
On Friday, you attempted to rekindle our relationship with a little email that I noticed was eventually sent to all users.
I thought it was a playful attempt to rekindle our relationship. An important notice about a new direction you’re taking or a new product you’ll be offering to customers. Nope.
Instead, it was a message that you’d been hacked. That’s unfortunate, and can happen to even the biggest companies sometimes. What’s unacceptable is finding out that the hack in question was executed in 2011, and you’re only just telling me now.
That’s like your ex-girlfriend telling you that she cheated when your relationship was just starting out. You’ve since broken up for other reasons, but that shit still stings. Knowing that someone betrayed your trust and kept it from you for so long can ferment negative sentiment. Who woulda thunk it, right?
Here’s what you sent:
The message was carefully crafted and worded so that it looked like you were doing us a favour by telling us now, but instead it reeks of contempt and a fundamental disrespect for users.
Here’s a little excerpt that sent me into a prolific rage blackout:
At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators. We have also since informed the Australian Privacy Commissioner.
Great work for informing the relevant parties about the hack. That was really responsible of you. Oh wait, no it wasn’t: you didn’t inform any of the affected users whose data it was in the first place you idiots.
My bank is always watching my credit card to see if anything goes wrong with it. The Police are always there for me to make a loss report to for insurance purposes, and they do a bit of investigating of crimes and such on the side. I don’t take any solace in knowing you told them and not us: they weren’t the first ones you should have called.
The Privacy Commissioner — you know, the one championing mandatory data breach disclosure notification laws — would have told you at the time to come clean: to bite the bullet and tell users that your service was compromised and people should probably change their passwords and keep an eye on their cards just in case.
You know what, all of the above probably told you the same thing: tell the users. But you declined. “Nope!” you thought. “Let’s avoid a PR nightmare for as long as possible”. But you forgot one important thing: the truth will out. Always. And now your nightmare has evolved into a shitstorm that I genuinely hope costs you users by the thousands.
We all trusted you to do the right thing with the data we gave you. Our email addresses, passwords and our precious credit cards. You abused that trust, and I don’t see why any of us should trust you again.
Worse still, you mentioned in your idiotic little memo that other retail websites in Australia had been hacked. I can only wonder who else that is, given that we haven’t really heard of any large-scale data breaches in the last few years featuring Australian retail websites. If you’re one of those companies reading this, consider it a slam against them too when they eventually reveal yourself. Time to face the music, I reckon.
Your email also helpfully included a section on “how to protect your data online”. I can think of one way to do it: by never using your BS website again.
I, for one, look forward to never seeing you again.