On Friday the 18th of July 2014, Catch of the Day made the startling announcement that in early 2011 they were targeted by a cyber intrusion.

Catch of the Day, which also owns popular websites Scoopon, GroceryRun, EatNow and MumGo informed their customers on Friday of the data breach which compromised names, delivery addresses, email addresses and hashed passwords, while some credit card information was also accessed. Catch of the Day has confirmed that no other websites within their group were targeted by the attack.

The company made the announcement via email to their customers while also posting an image on their Twitter account. Catch of the Day advised their customers that if they had not changed their passwords since May 7, 2011, it is highly recommended that they do so to prevent their information being accessed by the cyber criminals.

What Did Catch of the Day Do At The Time of the Attack?

When Catch of the Day became aware of the data breach, the police, banks and credit card companies were immediately informed so as to assist the company in taking action to protect the information of their users. This included the cancellation of credit cards while an investigation was launched into discovering who the perpetrators were who carried out the data breach.

Importantly, the Australian Privacy Commissioner was also informed.

Catch of the Day are confident that only a very small portion of users had their credit card information compromised, primarily due to the fact that the company does not store full credit card data and payments on their own system and are processed by a third party bank instead. For the small number of customers whose credit card information was accessed, the effected banks and credit card companies launched their own fraud prevention measures to ensure that their clients’ accounts were closed.

The Question We Are All Asking…

Why did Catch of the Day wait over 3 years to inform their customers of the data breach?

In what has been viewed as an unusual method of handling the data breach incident, a large number of commentators and customers are left wondering what the possible explanation could be for doing so. If there was any concern surrounding the cyber criminals compromising the passwords of users, why not inform customers sooner so they had an opportunity to change their password for not only Catch of the Day, but also any other login with which they use the same password.

In Australia, companies are not required by law to disclose data breaches to their users. In May last year, a bill to force disclosure of data breaches was introduced in Parliament by the Labor Party but was never voted in at Senate.

Catch of the Day outlined in their statement that their security networks have undergone major upgrades to keep in line with industry standards, while also undertaking external audits and reviews to ensure that their sites and user data is as secure as possible.

If you have not altered your password for your Catch of the Day account prior to May 7, 2011, it is highly recommended you do so to prevent your personal information being accessed.