This website waited three years to warn users of a data breach

If you want a good idea of exactly what not to do in informing customers of a data breach involving your website, follow the lead set by Australian website Catch of the Day. Catch of the Day, an Australian retail website offering discounted prices and deals on a range of products, suffered a severe security breach in early 2011. Names of customers, plus their delivery addresses, email addresses and encrypted passwords were compromised, alongside credit card information in some circumstances. Astonishingly, it took Catch of the Day three years to inform their customers of the security breach. An email sent out to users on Friday evening local time suggested that anyone who registered an account before May 7, 2011 should change their passwords, as “technological advances” has lead to an increased risk of the encrypted passwords being uncovered.

The company — which owns the Catch of the Day, Scoopon, EatNow, GroceryRun, and MumGo websites — informed customers late on Friday that people who joined the site prior to May 7, 2011 should change their passwords as a result. “In early 2011, Catch of the Day and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected,” the notice to customers stated. “At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators. “We have also since informed the Australian Privacy Commissioner.” The company said it was notifying customers to change passwords today because “technological advances” means there was an increased risk of the hashed passwords being compromised. In a statement provided to ZDNet tonight, the company’s group general manager Jason Rudy said that the company’s security practices had improved since 2011. “Our website security and technology is continually evolving and has undergone continual upgrades to keep in line with industry standards and best practices,” he said.