Catch of the Day advises of breach in May 2011: SSO Alert Priority High
21 July 2014
On Friday, daily shopping deals website Catch of the Day, contacted its customers to advise of a data breach affecting customer accounts created before 7 May 2011.
In the email it confirms that customer names, delivery addresses, email addresses and encrypted (hashed) passwords were compromised, with some users’ credit card information also affected.
It has not provided any guidance in relation to the delay between the time of the breach and its notification of the incident, however its statement includes:
‘With technological advances it means there is an increasing risk that those hashed passwords may become compromised, which is why we are asking all those users with accounts created before 7 May 2011 to change their passwords.’
If you were registered with Catch of the Day before 7 May 2011, you should change your password immediately.
If you reuse any of these logon details elsewhere you should also change your passwords for those sites immediately.
If you had credit card information registered with Catch of the Day before 7 May 2011, you should monitor your bank accounts for any suspicious activity. You can also contact your bank to seek further advice.
Catch of the Day’s notification email states that it acted quickly at the time of the attack to shut it down, and that it notified the police, the Australian Privacy Commissioner, banks and credit card companies that took action which included cancelling some credit cards.
If you registered with Catch of the Day after 7 May 2011, the company advises that you should not be affected, however, you may consider changing your password as a matter of precaution and good practice.
The company also states that its other group sites were unaffected. These include Scoopon, Mumgo, Grocery Run, Eat Now and West Avenue.
Further press statements may be provided by Catch of the Day. You can monitor catchoftheday.com.au for more information.
Protecting your credit card
Every site you provide credit card information to will use different technology and expertise to manage the security of data they keep about you. While many take all the available precautions, others may not, and despite the best intentions, even well-known sites have been compromised. You should consider this risk whenever you provide credit card information to a site while signing up.
Some of the ways to minimise your risk include:
Using reputable third party payment services (such as PayPal). (Of course many of these have also been targeted by hackers in the past.)
Using a separate credit/debit card with limited funds in case it is compromised.
Minimising the number of places where your credit cards are registered online.
Removing your information from sites you no longer use. (Although sites may still retain your information.)
Reading the security information offered by websites when you sign up. Good websites will often promote their security technology and practices, particularly if you are providing credit card information.
You can also Google these companies to see if they have any previous security concerns.
Security news service CSO.com.au provides further discussion of this issue, including a copy of the notification email.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.