Australian retailer Catch of the Day has reported that it suffered a security incident in 2011 which may have compromised encrypted (hashed) passwords and some credit card data.
According to a statement posted on its Twitter feed but not available on its website, the retailer said that the “illegal cyber attack” occurred in 2011 and only affects users that were registered to the site prior to May 7th 2011.
It said: “An illegal cyber attack in early 2011 saw hashed (encrypted) passwords and user information taken from Catchoftheday.com.au’s database. A limited portion of these customers also had credit card data stolen. Other sites in our group were not affected.
“Catchoftheday acted swiftly at the time to shut down the attack and reported it to the Australian Federal Police, banks and credit card companies, who took action to protect consumers, such as cancelling affected cards.”
Despite the attack occurring over three years ago, the retailer admitted that as technology has advanced, there is a chance that those hashed passwords may have become compromised, and that is why is decided to inform customers.
Catch Group executive general manager Jason Rudy “unreservedly apologised” to customers for the incident. “We take data security seriously and have taken strong measures to protect their personal information,” he said. “We have committed significant resources both internally, with a large dedicated team and externally via expert consultants to ensure we meet industry standards.”
Australian security researcher Troy Hunt told IT Security Guru that he knew little about it as it was light on detail, but it was clear that they knew about it for three years.
Andy Green, senior digital content producer at Varonis, said that it was strange that they waited this long to tell their customers. “Although it’s true that it typically takes a long time—usually measured in months—for companies to spot a breach and it’s the customers who become victims of identity theft, especially when credit cards are involved that raise the alarm, he said. “Keep in mind that a hashed password can be broken through use of dictionaries/rainbow tables when the password is weak.”
Mark Bower, VP at Voltage Security, said: “With confusing ‘on again, off again’ strategies for data breaches in Australia by the Government over the years, it’s no surprise to see old breaches surfacing years later. It’s highly likely that many firms in Australia without a strong data security strategy have successfully attacked at the expense of consumer’s privacy.
“The lack of strong and enforced breach notification laws simply avoid accountability and responsibility when breaches are detected. Australian consumers deserve better, and the Australian Government has to bring data security awareness and protection to modern standards instead of endless debate and delays”.
David Howorth, VP at Alert Logic, highlighted the timing of the incident, which was the same year as attacks on Sony and RSA, and most of these were caused by companies NOT taking correct security measures that pushed them into crisis-management mode.
He said: “Given that the passwords were encrypted meant Catch of the Day could have had a very positive message to send to their customers. They certainly had a duty of care to tell their customers, but we live in a different world in 2014 than we did in 2011 – we are used to security breach
notifications these days, so it is unclear what their motivation is for sharing the information now.
“Breaches are inevitable, but having technologies such as encryption, authentication, threat and vulnerability management solutions are a positive story to tell consumers – you are taking security seriously. Three years is a long time to keep it quiet, so they must have a compelling reason to make the announcement now. Customers should take heed and change their passwords ASAP.”
TK Keanini,CTO of Lancope, pointed out that organisations are not ready for incident response when it happens to them the first few times, saying it is slow and mistakes are made, but he said that this was a ridiculous amount of time to go by before disclosing to their users.
Asked if the encryption could be strong enough to protect passwords and credit card data, he said: “Let’s hope that they used strong cryptographic digest methods for those hashes! If they did not, it is as good as disclosed. Strong encryption is the way sensitive data should be stored. Now it is a race whereby the criminals race to decrypt the hashes through brute force methods before users change the information.”