Retail coupon operator Catch-of-the-Day has escaped penalty over sitting on a data breach for three years.
The 2011 data breach was notified to the Office of the Australian Information Commissioner (OAIC) in 2014. Catch of the Day put the delay down to deciding that the hashed passwords in the compromised systems "might" be at risk of being recovered due to "technological advances".
The privacy watchdog has now woken up and scratched out a response that it “does not intend to take any further action in relation to the incident at this time”.
Catch of the Day had better watch out, though: it's going to have to report back to the OAIC in three months about its “privacy governance and related matters”.
There's no news on what the OAIC thinks of sitting on a breach for three years, and while the watchpuppy says CoTD has conducted a privacy review, it doesn't think the outside world needs to know the details.
The OAIC has stated that CoTD notified banks, credit card companies and the police, brought in a third party investigator of some kind, rebuilt its e-commerce platform, and brought itself into compliance with the PCI data security standards.
The company never revealed the scale of the breach, and in 2014 was criticised for telling customers it had notified the Australian Federal Police before it had actually done so.
One reason the OAIC decided not to impose penalties is that there were, apparently, no complaints from individuals that their information had been misused. “The OAIC may conduct further enquiries if complaints are received from people who have been adversely affected by this incident,” the office's media statement says. ®