Campbell Phillips reports on what appears to be a large breach involving an Australian e-tailer:
Accounts registered with CatchOfTheDay before May 7, 2011 have been compromised according to a recent email to all of the business’ subscribers.
As the email states, the breach occurred in early 2011 and is described as an “illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted passwords)”.
From the e-mail sent to customers:
Data security is very important to us, which is why we need to let you know about some developments affecting member accounts created before 7 May 2011.
If you have not changed your password on Catchoftheday.com.au since 7 May 2011, we advise you to change your password. If you have changed your password since that time, no further action on our website is necessary, but we nevertheless encourage our users to regularly change their passwords.
[…]
In early 2011, Catchoftheday and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected.
At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators.
We have also since informed the Australian Privacy Commissioner.
Read more on PowerRetail.
So Catchoftheday knew at the time (in 2011), but never notified customers, thinking that the hashed passwords were sufficient protection, but have changed their mind as hackers have become more capable of cracking the passwords?
Because Australia had no data breach notification law, they do not seem to have done anything illegal or wrong – unless you believe that they should have been transparent about the attack.