Australian shopping website CatchOfTheDay has warned customers of a data breach dating back to 7 May 2011, urging anyone who has kept the same password at the site since that date to change it.
The site purports to be “Australia’s number one shopping site”, claiming 14.73% of all retail traffic from Australia, with over 2 million registered users and a sale made every second.
It’s not been made clear how many customers were affected by the breach.
CatchOfTheDay is part of a group including several other popular Australian deals sites, but these are not thought to have been affected by the compromise.
The breach apparently leaked names, email and postal addresses, hashed and encrypted passwords, and in some cases payment card details.
Police and financial firms were informed at the time, who, CatchOfTheDay state in their notice to customers “assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators”. A full public disclosure was not thought necessary as the passwords were stored reasonably safely and therefore people were not at “real risk of serious harm”.
The breach was also at some point reported to the Australian Privacy Commissioner.
It seems the decision to disclose fully at this late stage was down to fears that faster cracking methods meant the encryption on the password list was no longer as safe as previously assumed.
Efforts to introduce mandatory data breach notification in Australia stalled last year but have recently been revived by parliament. Current government advice is that, “In general, if a data breach creates a real risk of serious harm to the individual, the affected individuals should be notified”, but this is not yet legally enforced.
General manager Jason Rudy said that the company’s security practices had improved since 2011:
Our website security and technology is continually evolving and has undergone continual upgrades to keep in line with industry standards and best practices.
Breaches are making a lot of headlines lately, and the numbers of affected people are getting ever larger. A report from the New York State Attorney General claims that between 2006 and 2013 22.8 million sets of personal data belonging to New Yorkers were leaked, 7.3 million of those in 2013 alone.
Extrapolated around the world, that’s a lot of leaked information.
The impact of this on how we live remains hard to quantify, but surveys repeatedly report a growing impact on trust after breaches, there’s a movement to adjust who takes responsibility for money lost, and progress is being made in lawsuits claiming damages from breached firms.
So it’s little surprise that a breached firm would avoid going public if it could, hence the growing pressure around the world for more rigorous notification laws.
If we don’t know we’re at risk, we’re not as prepared as we could be for any danger we might be in.
Just how well-equipped the average internet user is to protect themselves against attempted identity theft is a whole other issue. We need to be empowered to look after ourselves better online, and knowing what’s going on in the world is a basic part of that empowerment.
The delayed notification brings up another question too. Regular changing of passwords has long been accepted wisdom, but recently has been challenged more and more, mostly by those who feel the risks from not changing are outweighed by the greater likelihood that people will choose poor passwords if forced to think of new ones all the time.
In this case it seems that those who’ve changed their passwords for this particular site, between the time of the breach and the time when the data suddenly stopped being uncrackable, were wise to do so.