Catch of the Day waits 3 years to disclose data breach

Daily deals website Catch of the Day informs customers to update passwords more than three years after a data security breach in early 2011.

Seamus Byrne Editor, Australia & Asia
Seamus Byrne is CNET's Editor for Australia and Asia. At other times he'll be found messing with apps, watching TV, building LEGO, and rolling dice. Preferably all at the same time.
Seamus Byrne
2 min read

Catch of the Day logo
Screenshot by Seamus Byrne/CNET

In a belated disclosure released late on Friday, daily deals website Catch of the Day sent a message to customers revealing it was hacked in May 2011 in an incident that revealed customer data, including passwords and credit card details.

In the email, the company explained to customers the extent of the intrusion and that at the time the authorities were informed.

"In early 2011, Catch of the Day and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected," the notice to customers stated, as reported by ZDNet.

"At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators."

In a media statement released via an image posted to Twitter, the company said that "as technology advances, there is a risk that those hashed passwords become compromised and Catch of the Day decided in light of these developments to proactively inform customers."

Not all customers had credit card data stolen, and the company stated it "acted swiftly at the time" to work with the Australian Federal Police, banks and credit card companies to protect customers, including cancelling cards.

The media statement went on to apologise to customers and suggest that all users who have been with the site since before May 7, 2011 and have not changed their password since that time should do so. If users repeat the same password on other services they should update at those other services too.

No statement has been posted to the main Catch of the Day website, nor its blog or its press area.

CatchoftheDay.com.au Pty Ltd as a company is also the owner of EatNow, GroceryRun, MumGo and Scoopon. The company stated that no other websites in the group were impacted.

Many users are expressing shock on social media that the company has waited so long to inform customers and CNET hopes to learn more about the reasons for the delay. We will update this story when we hear more from the company.