Catch of the Day hacked... three years ago?!

If reports are true one of the largest breaches of private user info to ever occur in the Australian retail industry actually took place in 2011 - and the retailer, daily-deal poster child Catch of the Day has only just informed its customers.

Customers just received the following email:

Data security is very important to us, which is why we need to let you know about some developments affecting member accounts created before 7 May 2011.

If you have not changed your password on since 7 May 2011, we advise you to change your password. If you have changed your password since that time, no further action on our website is necessary, but we nevertheless encourage our users to regularly change their passwords.

It is always good practice to have unique passwords for every website that you use. If you used the same password for as other websites in 2011 we recommend that you change all of those passwords as well.

In early 2011, Catchoftheday and other online retailers were targeted by an illegal cyber intrusion, which compromised names, delivery addresses, email addresses and hashed (encrypted) passwords. In some cases credit card data was compromised. Other websites in our Group were not affected.

At the time, we immediately informed police, banks and credit card companies who assisted us in taking action to protect our users, which included cancelling credit cards and launching investigations into the perpetrators.

We have also since informed the Australian Privacy Commissioner.

With technological advances it means there is an increasing risk that those hashed passwords may become compromised, which is why we are asking all those users with accounts created before 7 May 2011 to change their passwords.

Our security networks are continually evolving and have undergone major upgrades to keep in line with industry standards and best practices. We have better technology, better procedures and a bigger team dedicated to ensuring your experience with us is safe and secure. We regularly undertake external reviews and audits to ensure that our sites and your data are as secure as possible.

We sincerely apologise to our loyal customers that these events occurred and can assure you that we have dedicated significant resources to security and privacy to avoid these events in future.

Credit where it's due - if you're going to announce news of a disaster, 5.30pm on a Friday three years after the fact is a pretty good time to do it.

We'll be keeping a close eye on this one.