Catch of the day – notification of a data breach 3 years later….
July 27, 2014 |
Last week Catch of the Day announced it had suffered a data breach where customer passwords and their credit card details were stolen….. 3 years ago. Itnew covered the story in Catch of the Day reveals three-year old data breach.
There is no mandatory data breach notification laws in Australia. It is a large gaping hole in the privacy regulation. There is no good legal reason for this lapse beyond legislative lethargy. Last years attempt to enact a fair to middling notification bill lapsed when parliament was porogued. There is currently a bill in the Senate which aims to achieve the same result (being the same bill in all respects as the 2013 version) but because of political maneuvering is likely to fail. At some stage such legislation will be introduced. It is too large a a problem not to be addressed. But as with most matters privacy related in Australia the response will likely to be slow in coming, reluctantly enacted and inadequate and probably half a cycle behind developments in the technology.
The story provides:
Delays advising customers of early 2011 “cyber intrusion”.
Catch of the Day, which also owns Scoopon and GroceryRun, among others, said it had been targeted by an “illegal cyber intrusion” which had compromised names, addresses, email details, hashed passwords and in some cases, credit card details. It said other websites in its portfolio had not been targeted.
Although the company said in its advisory it had reported the hacking to police, banks and credit card issuers “immediately” after the attack, it did not tell the Australian Privacy Commissioner until an unspecified time after the breach.
Catch of the Day decided only to now advise customers with accounts created before May 7 2011 to change their passwords because “technological advances” meant there was an increased risk of the stolen hashed passwords becoming compromised.
Users who had changed their password since May 2011 need take no action, it advised.
The company did not reveal how many customers were affected by the breach, but said “only a relatively small portion” of users had credit card details compromised.
It told users its security networks were “continually evolving” and had undergone “major upgrades” to keep in line with industry standards and best practices.
Catch of the Day’s passwords are salted and it adopts “industry standard protection measures”.
“We have better technology, better procedures and a bigger team dedicated to ensuring your experience with us is safe and secure. We regularly undertake external reviews and audits to ensure that our sites and your data are as secure as possible,” Catch of the Day advised its customers.
“We sincerely apologise to our loyal customers that these events occured and can assure you that we have dedicated significant resources to security and privacy to avoid these events in the future.”
This has prompted a response from the Privacy Commissioner who stated:
In June 2014, the Office of the Australian Information Commissioner was notified by Catch of the Day about a data breach that occurred in 2011. The OAIC was not informed about the incident at the time it occurred. The OAIC has asked Catch of the Day for further information about the incident.
Organisations regularly make voluntary data breach notifications to the OAIC. In 2013–14 we received 71 data breach notifications, a 16% increase on the previous year. However, critical incidents may still be going unreported and consequently consumers may be unaware when their personal information could be compromised. People affected by data breaches that may have serious financial or other consequences are unable to take mitigating steps to protect their personal information if they are not appropriately notified. Data breach notification can also be a positive for organisations as it can promote transparency and trust about how an organisation handles personal information. The OAIC’s 2013 Community Attitudes to Privacy Survey showed that 96% of Australians expect to be informed if their personal information is lost.’
What is breathtaking is the response of the Association of Data Driven Marketing and Advertising which has the chutzpah to warn against mandatory reporting in response to Catch of the Day’s dilatory and lamentably late response to a data breach in the current voluntary regime. In ADMA warns against mandatory reporting after Catch of the Day delayed revealing breach for three years the Association is reportedly muttering darkly about a mandatory regime resulting in floods of reports about personal details being compromised. This, of course, may (rather than would) result in genuinely serious data breaches being lost in the mass of unnecessary warnings. What complete twaddle! Self serving twaddle at that. Jodie Sangster’s reported claim that mandatory reports to the Privacy Commissioner is counterproductive has no basis in fact. Lots of what may happen rather than what will or is likely to happen. Mandatory data reporting is the norm in Europe and most US States. All the maybes and might happens are fine as undergraduate debating points but have no real world resonance.
The article provides:
The Association of Data Driven Marketing and Advertising (ADMA) has warned that forcing companies to report data breaches could see consumers unnecessarily “flooded” with reports that their personal details may have been compromised.
Chief executive Jodie Sangster said making it mandatory to notify the Privacy Commissioner could be counter-productive as genuinely serious breaches may be lost amid a mass of unnecessary warnings.
Her comments came after news emerged that daily deals website Catch of the Day told consumers of a potential security breach three years after the incident.
The company claimed it had worked through the issue back in 2011 and only told the public of the breach now because advances in technology meant it may now be possible for passwords to be compromised.
Under current laws companies do not have to report breaches to the Privacy Commissioner. Although the debate over changing the regulations to make it compulsory is currently off the agenda, Sangster predicted the discussion will resurface.
She told Mumbrella that breaches where there was “no risk” to consumers did not need reporting.
“What ADMA would say is that if the consumer is put at risk with the type of data that has been breached then it is best practice to let them know,” Sangster said. “What we don’t want to happen is that every time there is a breach you have to go out and tell consumers.
“It should only be made compulsory if we can get to a sensible position whereby it’s of benefit to the customer and they are not going to get flooded with data beach notifications.
“If we go down the path of making it mandatory for every breach to be reported then the ones that are serious are not going to get through.”
[…] Catch of the day – notification of a data breach 3 years later…. […]