Catch of the Day Breach takes three years to report

Catch of the Day claims to be Australia's number one online department store. And a look at their prices and range makes it clear that they have a reasonable claim on that crown. They have received extensive media coverage on commercial news and current affairs shows. According to data from Hitwise, Australia's number one shopping site with 14.73% of all retail traffic from Australia. The only retail website with higher traffic was

But like many other large retailers, they have been the victim of hackers.
Incredibly, in an email to all their customers sent last Friday at 5:28PM (according to the mail header on the message we received), they admitted that they knew of the breach in May 2011. That's a full 38 months and some days from when the breach affected systems security.

Compare that with two recent, wide scale breaches -Target and eBay.

In the case of Target, the time between the breach of their Point of sale systems and going public was four days (reference: Timeline of Target's Data Breach And Aftermath: How Cybertheft Snowballed For The Giant Retailer).

With eBay, the elapsed time between report of the breach and customers being formally informed was a few days. And they were widely panned for the slowness of their reaction and their poor communication.

A look at the Catch of the Day website tells us nothing about the breach. There is no message on their website. The last entry in their blog refers to an online competition from April 2014.

The email they sent to customers, with the subject "Important Notice" doesn’t tell users about the breach until the fourth paragraph - and that's after a bunch of general advice about how it's a good idea to use unique passwords for each site you visit and how changing your password regularly is prudent.
We requested an interview a representative from Catch of the Day but were issued a statement. It told us "An illegal cyber attack in early 2011 saw hashed (encrypted) passwords and user information taken from’s database. Only those members who joined prior to May 7, 2011 were affected. A limited portion of these customers also had credit card data stolen".

Other sites in the Catch of the Day network, including Mumgo, Vino Mofo and Grocery Run were unaffected.

The statement also noted that Catch of the Day acted swiftly at the time to shut down the attack and inform authorities.

However, we were left with several other questions. Why was the breach made public now? Was the disclosure to the Privacy Commissioner in response to changes in the recent Privacy Act? Were the perpetrators ever caught? Will a message be posted on the Catch of the Day website?
We asked a spokesperson from Catch of the Day about these matters. We were told that there would be a media statement and that "we are not commenting any further".

It remains to be seen whether the disclosure of the breach has any effect on Catch of the Day's business. But companies that come out of the other side of security attacks successfully typically communicate promptly and clearly with their customers and show publicly that the cause of the breach has been addressed.

Our advice - if you're a Catch of the Day customer change your password. Although they say that the attack only affected accounts created before May 2011, we'd suggest changing passwords is a relatively straightforward safeguard to take.

We'd also advocate removing credit card data from all your online shopping accounts and either using gift cards or separate payment services that require different validation so that a breach at a shopping site doesn’t expose financial data.

This article is brought to you by Enex TestLab, content directors for CSO Australia

__________________________________________________________________________________ Hear from International keynote: Richard Thieme, Fran Trentley former CIO of the White House, Australia Post, Telstra, Serco Australia, CERT Australia, NBN Co, Atlassian and many more...

Earn upto 7 CPE credits for the day.Register today and receive your free book "mind games" signed by author on the day


Join the CSO newsletter!

Error: Please check your email address.

Tags amazonTargetbreachhackedCatch of the Daycybertheftdata breachebay

More about Amazon.comAmazon Web ServicesAtlassianAustralia PostCatch of the DayCERT AustraliaCSOeBayEnex TestLabHitwiseNBN CoTelstra CorporationTelstra Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place