An Open Letter To Catch Of The Day: We Are Never, Ever, Ever Getting Back Together

Hey, Catch of the Day. Can I call you Catch? Look, I know we haven't talked in a while. I haven't opened your emails, dropped by to say hey or even looked at what you're up to on social media. But what you did on Friday was probably the worst way to get my attention you could have thought of, and now we have a problem.

On Friday, you attempted to rekindle our relationship with a little email that I noticed was eventually sent to all users.

I thought it was a playful attempt to rekindle our relationship. An important notice about a new direction you're taking or a new product you'll be offering to customers. Nope.

Instead, it was a message that you'd been hacked. That's unfortunate, and can happen to even the biggest companies sometimes. What's unacceptable is finding out that the hack in question was executed in 2011, and you're only just telling me now.

That's like your ex-girlfriend telling you that she cheated when your relationship was just starting out. You've since broken up for other reasons, but that shit still stings. Knowing that someone betrayed your trust and kept it from you for so long can ferment negative sentiment. Who woulda thunk it, right?

Here's what you sent:

The message was carefully crafted and worded so that it looked like you were doing us a favour by telling us now, but instead it reeks of contempt and a fundamental disrespect for users.

Here's a little excerpt that sent me into a prolific rage blackout:

At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators. We have also since informed the Australian Privacy Commissioner.

Great work for informing the relevant parties about the hack. That was really responsible of you. Oh wait, no it wasn't: you didn't inform any of the affected users whose data it was in the first place you idiots.

My bank is always watching my credit card to see if anything goes wrong with it. The Police are always there for me to make a loss report to for insurance purposes, and they do a bit of investigating of crimes and such on the side. I don't take any solace in knowing you told them and not us: they weren't the first ones you should have called.

The Privacy Commissioner -- you know, the one championing mandatory data breach disclosure notification laws -- would have told you at the time to come clean: to bite the bullet and tell users that your service was compromised and people should probably change their passwords and keep an eye on their cards just in case.

You know what, all of the above probably told you the same thing: tell the users. But you declined. "Nope!" you thought. "Let's avoid a PR nightmare for as long as possible". But you forgot one important thing: the truth will out. Always. And now your nightmare has evolved into a shitstorm that I genuinely hope costs you users by the thousands.

We all trusted you to do the right thing with the data we gave you. Our email addresses, passwords and our precious credit cards. You abused that trust, and I don't see why any of us should trust you again.

Worse still, you mentioned in your idiotic little memo that other retail websites in Australia had been hacked. I can only wonder who else that is, given that we haven't really heard of any large-scale data breaches in the last few years featuring Australian retail websites. If you're one of those companies reading this, consider it a slam against them too when they eventually reveal yourself. Time to face the music, I reckon.

Your email also helpfully included a section on "how to protect your data online". I can think of one way to do it: by never using your BS website again.

I, for one, look forward to never seeing you again.

Cheers, Luke



    Same Luke, I went into a fukcing rage when I read their email. Luckily for me (I think) I have almost always used PayPal when using their site (which, in the last three years, has probably been about 3 times anyway). I wont be going back their. I hope they rot and die. I'll be removing my account asap rather than give them another dollar of mine.

    Did it ever occur to anyone the police may have directed Catch Of The Day NOT to tell users?

    That demand would have come with a gag order preventing COTD from ever disclosing they were directed to do that too - so don't expect their CEO/director to come out and say "oh yeah this is the reason why we left it for 3 years" because that will never happen.

    Suffer a dip in revenue from a few disgruntled users or go to jail? Hmmm..... tough choice for gizmodo writers apparently.

    Besides, this happened 3 years ago - whatever information was taken is out there now and if someone was going to ruin your life as a result of having this data they would have done it by now. I've always used paypal on their site, they've always sent my products out quickly, so I'll happily support them again.

    Last edited 21/07/14 10:17 am

      For what purpose would the cops have made such a request/demand?
      To make CoTD a Honeypot?

      You appear to be quite happy that they've happily let you use a (potentially) compromised password for the past 3 years!

      Last edited 21/07/14 10:30 am

        For the same reasons the police always make those requests - so as not to tip off the attackers - I don't know I'm not connected with the organisation in any way.

        As for compromised passwords - who cares? They can't order anything and have it charged to me because they would also need my paypal username & password + my security token from paypal.

        I think you'll find that 90%+ of catch of the day's customer base won't care.

        Also my account was created after May 2011 so this breach doesn't impact me anyway. Plus everyone should be changing their passwords for anything shopping or money related on a regular basis.

        In 2013-14 the Privacy Commissioner was notified of 71 data breaches. Not every data breach is reported by gizmodo and not every breach requires a panic button to be hit.

        Last edited 21/07/14 4:17 pm

          I don't even know where to begin with this post...

      I’ve never heard of police telling a merchant to not tell their potential fraud victims. I also can’t comprehend a reason why they would ever do that.
      I think you’re desperately reaching for an excuse here.

      That's taking the benefit of the doubt too far, may as well make up a tragic heroic story to go along with it instead:
      The CEO of catch of the day heroically, selflessly dived into raging floodwaters to save a mother and her 6 year old child who was dying off the cancer-aids... he took the girl to hospital, walking 20km barefoot and naked in the freezing rain... but it was too late, she was dying off the cancer-aids anyway! With her last dying breath she begged the CEO not to disclose any hacks on his site till 3 years after her death. The poor CEO has been following those wishes ever since T_T

      How can these selfish douches hate him for that? Inhuman!

    Apart from that, however, Has any one else noticed catch of the day has sort of turned into "unsold catches from the last three years"? Very rarely see those great deals you used to get once a day anymore.

      The deals are very rarely a 'catch'. Usually a quick Google or eBay search can find a better deal on the products.

    Luke - Lifehacker guide to cancelling CoTD accounts should be the followup article.

      Yes, spent the last 10 minutes trawling their site and the net and can't find a way to remove my account..

      Ask, and you shall receive.

        Hell hath no furry like Luke Hopewell scorned?

    I never got the email, but COTD never getting another dollar off me - I was getting some batteries with the $50 voucher from the wireless headphone deal, after ordering I realised COTD was selling off the same batteries *on ebay for a lower price - with FREE shipping* ... that's pretty a pretty crappy way to treat returning customers! bunch of a'holes afaic.

    I didn't get the email, I can only assume that I wasn't affected?

      I didn't either, but I don't think I'd used COTD yet in 2011.

    Another thing that annoyed me about this email was that it didn't give me any information I needed to determine if I was impacted by this hack, information they have, and I don't. A simple thing like the date I joined, and the date I last changed my password could and should have been provided.

    I also love how they sent this on a friday afternoon. Good to know that the media still picked up on and is slamming them for it.

    I also wonder at what point in the 3 years did they contact the Australian Privacy Commissioner, since We have also since informed the Australian Privacy Commissioner. sounds like they only just recently informed them, or at least, not at the time of the breach.

    I signed up in 2011, but never saw value in any of their so called catches. The site was a piece of shit even then.

      I'm in the same boat.... I don't necessarily dislike them because of the article... I just think they were crap to start off with.

        They used to have some decent deals occasionally, but 2011 was around when they stopped being worth watching. These days I don't even glance at what they're selling.

        At one point they were selling one thing each day, which was usually a good deal (and would often sell out pretty quickly). I would probably say they started sucking when they launched Scoopon in April 2010. Last time I actually bought something from them was January 2011.

        Wow, I've been ignoring them for that long?

    Well I've been using Catch of the Day for ages but didn't receive that email. Weird. At least their stuff is the genuine item, not copies like another discount site I've used.

    As I've stated on Twitter, my Visa debit card number *was* stolen late May 2011, and used in the UK. I was a customer of Catch at the time. I'm waiting on Catch to advise whether I was one of the lucky users they didn't notify.

    They told me on Fb "Your bank would have advised you, had your card been compromised..."

    To which I responded, "not if someone used it and it got cancelled before they got the chance to advise me."

    Now awaiting a formal response from Catch. Maybe it was just a exquisitely badly timed coincidence...

      I also had two of my credit card numbers used in France around the same time - funnily enough I suspected COTD at the time but figured I could do nothing to prove it. But they were the only online merchant that I could remember using both of the credit cards at. It seems it was the case. Luckily my credit union stopped the transactions before they hit my account.


    People don't read emails on a Friday afternoon...WRONG!
    Let customer accounts be active or dormant for three years with the possibility they have been compromised...WRONG!
    Make the COTD press release sound like they put customers first, when they didn't...WRONG!

    Sever all association with COTD immediately...NOT WRONG!

    Maybe we should start a petition for them to get fined for lack of notification.

      Thankfully the law does not work this way

        I only meant it if it was actually applicable, to bring it attention to the powers that be.

          I would think here would be a place to start - file a privacy complaint.

    I'm glad to see there was equal outrage from Gizmodo when eBay hid there had been breach and then forced password changes breaking their site... Seems reasonable.

      You're missing the point. COTD hid it for 3 years and tried to bs users with some crafty email.

        Three months, three years, who cares, it's the same old bullshit. The difference is the author couldn't contemplate shopping online without eBay, so let them get away with it.

    I had some random purchases made on my CC a while back, I could not conceivably figure out where they got my card details from, this might explain it. I liked COTD when they first started, I subscribed to their newsletter as it was mainly tech. Turned out to be almost bait-and-switch after all the random crap they started flogging. I never got any of the limited hour deals (server always congested). Started out great but I guess all businesses are there to make money. Ozbargain is the way to go for tech deals.

      I use disposable email addresses for signing up to different sites, so if one of them is hacked or starts spamming, I know exactly where the spam came from, can inform them, and can block the email address. We need the exact same thing for credit cards. You have a single master card number. When you want to buy online, you log in to internet banking and register child numbers for each of the services or online stores you use, and purchase using those numbers. If one of the numbers is breached, you cancel that one number, all your other numbers are fine, and credit card companies can track down exactly where the number came from. This would pretty much end stolen credit card numbers forever.

        That system sort of already exists. Virtual Credit/Debit Cards I think they call them.
        They're disposable prepaid debit cards. Don't ask me exactly how they work etc, my dad was going on about them.

    I never received that Email about the security...damn I'm slow

      It was sent to the person who hacked your account.

Join the discussion!

Trending Stories Right Now