Michael McKinnon


Why did it take Catch of the Day three years to a reveal data breach?

7:52AM | Monday, 21 July

Deals website Catch of the Day has told some of its customers their passwords and credit card details were stolen, three years after the data breach took place.   Owned by Australian e-commerce giant The Catch Group, Catch of the Day wrote to its customers advising them of the breach late last week.   Catch of the Day said the site had been targeted by an illegal cyberattack on May 7 2011, which saw hashed (encrypted) passwords and user information such as names, addresses and email details taken from Catchoftheday.com.au’s database. Some credit card information was also stolen.   Three years later, the website is now advising customers to change passwords because "technological advances" meant there was an increased risk of the stolen passwords becoming compromised.   “As technology advances, there is a risk that those hashed passwords become compromised and Catch of the Day decided in light of these developments to proactively inform customers,” the company said in a statement.   Catch of the Day said it acted swiftly at the time to shut down the attack and reported it to the Australian Federal Police, banks and credit card companies, which took action to protect consumers, such as cancelling affected cards.   Users who had not changed their password since May 2011 were advised to do so, while those who had changed their passwords since the breach occurred were told they didn’t need to take any action.   “Our website security and technology is continually evolving and has undergone continual upgrades to keep in line with industry standards and best practices,” said Catch Group executive general manager Jason Rudy in the statement.   “We unreservedly apologise to our customers for this incident. We take data security seriously and have taken strong measures to protect their personal information.”   The company said it had committed significant resources via a large dedicated internal team and expert consultants to ensure it met industry standards.   iTWire is reporting Catch of the Day could have disclosed the vulnerability back in February 2012 when customers complained on the online forum Whirlpool about being spammed, but chose not to act.   Although Australian companies have some of the lowest levels of data breaches in the world, the average total cost of a data breach is thought to be around $3.75 million.   AVG security advisor Michael McKinnon told SmartCompany the letter to customers suggests Catch of the Day has concern over the stolen passwords, such as the possibility plain text versions may be able to be decoded.   This would mean any user who has the same password for different accounts could potentially experience further breaches.   McKinnon says Catch of the Day was likely warned by their legal team not to admit to the breach at the time of the incident. He says most legal teams will advise businesses not to say anything in the event of a breach.   “Actually admitting it when you don’t have to opens up legal liability,” says McKinnon. However, McKinnon says there is a reputational impact to consider if a business doesn’t disclose a breach which later comes out. He says at end of day, there will be tension between the legal impacts and the PR consequences of disclosing a breach.   “This is a dilemma for all business, given the fact we don’t have mandatory disclosure laws,” says McKinnon. In terms of the stolen credit card information, McKinnon says the merchant is not obliged to declare a breach. Rather, the banks take on that role.   “The banks would have cancelled the credit cards and contacted the customers to say we believe your card has been compromised,” he says.   He says the customer would never have known where the data breach came from.   McKinnon says Catch of the Day may have also faced pressure from law enforcement agents not to disclose the breach at the time, on the basis that they were currently investigating it.   “I would question, why has it come out now?”   He says in similar cases he’d seen, there was motivation to disclose a breach after the fact when it had become apparent databases were being traded.   “This might be a case of ‘stay tuned’,” he says.   This article first appeared on SmartCompany.

Heartbreaking: Cupid Media struck by Privacy Commissioner for breaching privacy laws

6:55AM | Thursday, 26 June

Online dating company Cupid Media has come under fire from the Australian Privacy Commissioner for breaching privacy laws after it was hacked last year.   Commissioner Timothy Pilgrim found the company failed to take reasonable steps to secure personal information held on its dating websites when hackers gained unauthorised access to Cupid webservers and stole the personal information of about 254,000 Australian Cupid site users in January 2013.   Although new privacy laws were put in place on March 12 of this year, the data breach occurred in January 2013 and was found to have breached the Privacy Act 1988. Cupid Media operates over 35 niche dating websites based on personal information including ethnicity, religion and location. The personal information compromised at the time of the hack included users’ full name, date of birth, email addresses and passwords.   At the time of the incident, Pilgrim found Cupid Media did not have password encryption processes in place.   “Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act,” said Pilgrim in a statement.   Pilgrim also found Cupid had not securely destroyed or permanently de-identified personal information that was no longer required.   “Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk. Organisations must identify out of date or unrequired personal information and have a system in place for securely disposing with it,” said Pilgrim.   “Hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure,” he said.   AVG security advisor Michael McKinnon told SmartCompany when a website developer is developing a user login, they must design it so the password cannot be decrypted. Decryption is the process of converting encrypted data back into its original form, so it can be understood.   “If your website gets compromised and passwords get stolen, criminals can then work out what your user’s plain text passwords are,” says McKinnon.   The danger then, he says, is when users reuse passwords for different accounts, hackers have the information to hack those other accounts.   McKinnon says there is no proper standard for how websites must encrypt passwords to avoid decryption, and web developers will use many different methods.   He says small business should ask ‘searching questions’ of their web developers to safeguard themselves.   “This term is really good advice for small business who rely on web developers or third parties to control the security of their website,” says McKinnon.   “Small businesses tend to be taken for granted in these relationships and I implore all small business owners to take a more investigative approach when it comes to security.”   McKinnon says the best approach is to ask open ended questions of web developers, such as “how are you keeping my business safe?”   He says user logins create an important trust relationship between a business and its clients, “and it’s a trust you can’t betray.”   According to IT Wire, the Office of the Information Commissioner did not receive a data breach notification from Cupid Media at the time of the hack, and only opened the investigation following media reports.   Cupid Media was contacted for comment, but SmartCompany did not receive a response prior to publication.   This article first appeared on Smart Company.

Evernote hack yet another warning of cloud danger for Australian SMEs

3:36AM | Friday, 15 March

Australian Evernote users received a shock this weekend when the company sent notifications indicating it had suffered a hacking attempt, and warned affected users should change their passwords straight away.

Industry praise for new cyber security centre

3:23AM | Monday, 11 March

The Australian arm of global tech giant Huawei has welcomed the establishment of an Australian Cyber Security Centre, announced by Prime Minister Julia Gillard earlier today.

Start-ups warned of top five digital threats set to strike in 2013

3:12AM | Friday, 15 March

Internet security company AVG has identified five digital threats facing businesses and consumers in 2013, prompting an expert to highlight how start-ups can respond to the trends.

Business users urged to switch off Internet Explorer after vulnerability exposed

9:38AM | Wednesday, 19 September

It's been a bad week for internet scams, with the country's regulatory agencies warning against dodgy emails, while security advisors are now warning users of Microsoft's Internet Explorer browser to log off due to a newly discovered vulnerability.

LinkedIn security breach: Here’s a top password tip

6:33PM | Thursday, 7 June

Start-ups have been urged to use a simple trick to ensure the security of their password, after six million LinkedIn passwords were reportedly leaked online.