This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Catch of the Day

Summary

Catch of the Day, a popular Australian online retailer, suffered a database breach on 7 May 2011 that exposed hashed passwords and customer information including names, addresses, email details and some credit card numbers. The breach became controversial when the company waited nearly three years to notify affected customers.

What Happened

On 7 May 2011, attackers gained unauthorised access to Catchoftheday.com.au's database and stole hashed (encrypted) passwords along with user information such as names, addresses, email details and a number of credit card details. The breach occurred in 2011, but customers and regulators were not notified until July 2014.

The company finally sent an email to its customer base late on a Friday in July 2014 alerting them to a security breach that had occurred "in early 2011". The Office of the Australian Information Commissioner was informed in June 2014, approximately three years after the incident occurred.

Impact on Individuals

Affected customers faced multiple risks:

  • Password compromise: Hashed passwords could potentially be cracked, especially after a three-year delay gave attackers ample time to work on decryption
  • Credential reuse: Customers using the same passwords on other sites were vulnerable to credential stuffing attacks
  • Credit card fraud: Customers whose credit card details were stolen faced potential unauthorised charges
  • Extended exposure: The three-year delay in notification meant customers were unaware they needed to change passwords or monitor accounts

The delayed notification was particularly problematic as customers had no opportunity to take protective action while their data may have been actively exploited.

Organisational Response

Catch of the Day claimed it acted swiftly at the time to shut down the attack and reported it to the Australian Federal Police, banks and credit card companies. However, reports later emerged that the AFP denied receiving any complaint from Catch of the Day, contradicting the company's claims.

Privacy Commissioner Timothy Pilgrim expressed concern at "the significant delay between [Catch of the Day] becoming aware of the incident and notifying affected individuals" and recommended that the company "improve its processes for notifying customers of data breach incidents in future". Despite these serious concerns, Catch of the Day escaped penalty due to what the Commissioner termed "prompt action" taken to address the breach itself, though this assessment focused on the technical response rather than the notification timeline.

Verification Source: View original statement