Catch of the Day comes clean on 2011 breach of customer data

The Australian daily deals website on Friday disclosed that hackers compromised names, home addresses, email addresses, encrypted passwords, and in some cases credit card data three years ago.

The Catch Group, which owns Catch of the Day, Scoopon, EatNow, GroceryRun, and MumGo, notified users by email about the incident – 38 months after the data was initially taken.

The breach was the result of an "illegal cyber intrusion" that targeted Catch of the Day and "other online retailers and businesses,” the company said in the message.

Catch Group said it immediately informed police, banks and credit card companies at the time of the breach.

Why did the Catch Group wait until now to inform its customers?

In its email, the company said "technological advances" meant there was an "increasing risk" that its users' encrypted passwords "may become compromised", which was why it was asking all users with accounts created before May 7, 2011, to change their credentials on its website.

"The [Office of the Australian Information Commissioner] was not informed about the incident at the time it occurred," Federal privacy commissioner Timothy Pilgrim said in a statement.

In response to questions from ZDNet regarding why the company delayed telling the public, the company said its security practices had improved since 2011.

"Our website security and technology is continually evolving and has undergone continual upgrades to keep in line with industry standards and best practices," the company said in a statement to ZDNet.

"We unreservedly apologise to our customers for this incident. We take data security seriously and have taken strong measures to protect their personal information. We have committed significant resources both internally, with a large dedicated team and externally via expert consultants to ensure we meet industry standards."