This week, deal site Catch of the Day sent out an email regarding an “illegal cyber intrusion” of its website to affected users. The company believes “names, delivery addresses [and] email addresses”, as well as encrypted passwords and “in some cases” credit card data, were comprised during the attack. Fair enough you might say, letting people know you’ve been hacked. Shame it took CotD three years to do it.
The email does not explain why it took so longer for the company to inform affected users of the breach, which occurred in “late April and early May 2011”, though it does attempt to deflect by stating that “police, banks and credit card companies” were notified and the site has since “undergone major upgrades” to secure customer information.
It goes on to explain that only accounts created before 7 May 2011 were affected and that those who fall on the wrong side of this date should change their password (if they haven’t already done so). Despite only storing a salted hash of users’ passwords, CotD is concerned that “technological advances” can allow determined parties to decrypt these hashes.
In regards to compromised credit card data, the email says a “relatively small portion of users” have anything to worry about, though providers apparently cancelled jeopardised cards shortly after the breach.
It’s all good and well the company has come clean now but geez, three years is a long time to hold off telling those directly affected. It’d also be a good idea to put a post up on the site itself, though there’s no mention of the intrusion on Catch of the Day’s blog (and nothing was posted during the time of the attack).
A single line in the email states that CotD has “since informed the Australian Privacy Commissioner”, so I expect we’ll hear more about this in the future, depending on how the department decides to proceed.