Security Market Segment LS
Saturday, 19 July 2014 22:26

Catch of the Day had chance to disclose breach in 2012, chose not to

By

Evidence exists online that Catch of the Day could have disclosed its May 2011 vulnerability back in February 2012 but chose not to.

Earlier today I wrote about Catch of the Day's startling revelation that it had a security breach in May 2011, but only disclosed this to customers yesterday, Friday 18th July 2014 - over three years later.

During this breach customer data - including names, addresses, email addresses and passwords - and possibly partial credit card information - was stolen. Catch of the Day waited for three years to tell users they should probably change their passwords, not only on Catch of the Day but on other sites where they may use the same credentials.

In that story I posted a link to a forum posting on Apple's web site where one person had their Apple account compromised and noted the only other place they used the same credentials was with Catch of the Day. They viewed it as "unlikely" that was the problem. Not only does it now seem highly likely, the frustrating truth is that if Catch of the Day had told its own customers of this breach much sooner then at least one Apple account most likely would not have been compromised.

Further online investigation reveals another customer who noted unusual activity with an email address they only used with Catch of the Day.

Specifically, on the popular Australian technology forum Whirlpool it appears Catch of the Day promised to look into a reported problem - way back in February 2012.

User nachoman stated on February 24th 2012, "I have started receiving spam from 'mynetsale.com.au' to an email address I've used only with catchoftheday.com.au."

User BlueyT followed with "I'm getting crap from them too."

This discussion occurred in the Whirlpool 'Catch of the Day' forum topic where users specifically discussed Catch of the Day sales items, postage, problems, tips and other matters relating to Catch of the Day. As such user BlueyT was also undoubtedly a Catch of the Day user, similarly experiencing the unsolicited email.

A third user EdgeT chimed in "+1 for me as well. I was wondering where that came from."

Nachoman mused, "I wonder then if COTD gave our details to another party, or if they were hacked? I hope my credit card details are safe."

The very same problem was reported by other Whirlpool forum members named Woodrow, SpeedyPete and RayJ. RayJ similarly noted the email address he was receiving spam on was one he had used exclusively with Catch of the Day.

A Catch of the Day representative named Seamus - with username seamus-catch and listed email address of seamus@catchoftheday.com.au - joined the discussion. He requested "Can you please email me any examples (email address is listed in profile)? Catch takes information security very seriously and will investigate as a matter of priority."

Seamus continued posting on Whirlpool, offering support and advice for customer purchases, but never again responded on the matter of alleged spam from mynetsale.com.au.

Yet, despite Seamus' statement that Catch of the Day takes "information security very seriously" Catch of the Day has made clear it knew in May 2011 of a breach of confidential customer information. This breach was still known by Catch of the Day in February 2012 when the Whirlpool postings occurred. Seamus, and Catch of the Day management, chose not to disclose any advice about the breach, even when its own customers were observing their Catch of the Day-exclusive email addresses were being used by other web sites.

Finally, over three years since the breach and over two years since that Whirlpool discussion, Catch of the Day finally came clean, yesterday 18th July 2014.

An official comment has been requested from Catch of the Day.


Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments