I would like to think that the first thing any company would do in the wake of a data breach is to crack open its incident response plan and start following through a well planned strategy that had been formulated long in advance of the breach actually occurring.
Whilst maybe not being the first priority, I would also like to think that the response would include notifying customers as quickly as possible after the breach occurred.
But it appears not all companies think that way.
Take Australian daily deals site Catch of the Day for example.
The website has just revealed that it was hacked and that credit cards and passwords were compromised… early in 2011!
In a note sent to customers, the company said:
“In early 2011, Catchoftheday and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected.
At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators.”
The notice goes on to say that the Australian Privacy Commissioner had been informed of the intrusion but did not note when exactly.
Without disclosing why it took the company over three years to disclose the breach to the public, it urged holders of accounts created before 7 May 2011 to change their passwords, adding that:
“With technological advances it means there is an increasing risk that those hashed passwords may become compromised, which is why we are asking all those users with accounts created before 7 May 2011 to change their passwords.”
Fortunately, it looks like Catch of the Day left payment processing to a third party bank (which one can only hope is fully PCI DSS compliant), meaning that it only holds a limited set of data about each account, including
- customer name
- delivery address
- email address
Catch of the Day itself only stores partial credit card numbers, it says, but even so, I’m not sure that makes a three year delay in reporting even remotely acceptable.
My opinion counts for nought though – its the law of the land that matters – and in Australia there is no legislation to mandate data breach disclosure at this time, though the Register reports that there is a possibility that such a law may find its way onto the statute books in the future.
Indeed in many countries the situation is similar, with regulatory bodies advising breach disclosure but not universally requiring it under law. Do you think that is the correct stance or should companies be legally obliged to disclose all breaches? After all, knowing that the public will get to hear when things go wrong may just motivate organisations to tighten up their security in the first place.