Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Catch of the Day data breach

Catch of the Day data breach — finalisation of enquiries

2 June 2015

The Office of the Australian Information Commissioner (OAIC) has finalised enquiries into Australian retail company Pty Ltd (COTD), following a data breach notification received in June 2014.

COTD informed the Australian Privacy Commissioner of a data breach it experienced in 2011, which resulted in the compromise of personal information of COTD’s Australian customer base. The OAIC conducted enquiries in relation to this incident.

The Commissioner expressed concern about the size of the breach, the possible compromise of financial information, and the significant delay between COTD becoming aware of the incident and notifying affected individuals.

COTD has taken a range of steps in response to the incident including notifying banks, credit card companies, and the police; commissioning a third party expert to investigate the issue; rebuilding the e-commerce platform that was the subject of the attack; and upgrading its infrastructure to ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS). COTD completed an internal Privacy Compliance Assessment, resulting in 20 recommendations that go to improving COTD’s privacy governance arrangements and related matters. The Commissioner also recommended that COTD improve its processes for notifying customers of data breach incidents in future.

In light of the steps COTD has taken to prevent a similar incident from recurring, the OAIC does not intend to take any further action in relation to the incident at this time. However, COTD has been asked to provide a report about the implementation of the above recommendations within three months. The OAIC may conduct further enquiries if complaints are received from people who have been adversely affected by this incident.

As the breach occurred before 12 March 2014, the Commissioner’s powers under the Privacy Act 1988 were limited to making recommendations. Since 12 March 2014, the Commissioner’s powers following a Commissioner-initiated investigation include the power to accept an enforceable undertaking from an entity or to make a determination. The Commissioner may also apply to the Federal Court or Federal Circuit Court for an order that an entity pay a civil penalty, where there has been a serious or repeated interference with privacy. It is up to the court to decide whether the entity has contravened the civil penalty provision, and the appropriate penalty amount.

Back to Contents

Catch of the Day data breach — statement

21 July 2014

‘In June 2014, the Office of the Australian Information Commissioner was notified by Catch of the Day about a data breach that occurred in 2011. The OAIC was not informed about the incident at the time it occurred. The OAIC has asked Catch of the Day for further information about the incident.

Organisations regularly make voluntary data breach notifications to the OAIC. In 2013–14 we received 71 data breach notifications, a 16% increase on the previous year. However, critical incidents may still be going unreported and consequently consumers may be unaware when their personal information could be compromised. People affected by data breaches that may have serious financial or other consequences are unable to take mitigating steps to protect their personal information if they are not appropriately notified. Data breach notification can also be a positive for organisations as it can promote transparency and trust about how an organisation handles personal information. The OAIC’s 2013 Community Attitudes to Privacy Survey showed that 96% of Australians expect to be informed if their personal information is lost.’

Timothy Pilgrim — Australian Privacy Commissioner

Back to Contents