Catch of the Day has waited over three years to quietly reveal that their database was compromised in 2011. Under current laws, they were within their rights not to inform customers.
Users of the website received an email in the afternoon of Friday, 18 July 2014, from Catch of the Day stating: “Data security is very important to us, which is why we need to let you know about some developments affecting member accounts created before 7 May 2011.”
The email went on to say that names, addresses, email addresses, hashed (encrypted) passwords and in some cases credit cards were all compromised over three years ago.
One detail that is left out of the letter is why they neglected to tell users about the breach initially. It goes on to state that with technological advancements “there is an increasing risk that those hashed passwords may become compromised”.
Online users’ responses to the belated breach notification have been very negative, including a very dissatisfied open letter published by the tech blog, Gizmodo.
Do you think Catch of the Day was right to wait to notify users until they thought their data was able to be decrypted? Or do you believe that users have a right to know if their information may be compromised as soon as it happens?