One of the strongest cases for mandatory data breach notification was the admission by Catch of the Day that the website had been hacked and customer data stolen three years ago.
Notifying your customers not only three years’ too late but also late on a Friday evening when everything is closed for the next two days suggests that stronger measures than the current regime are required to make online businesses take the security of their customers' data more seriously.
The excuse that Catch of the Day didn’t think it necessary to alert customers because “technological advances” three years on could now enable customers’ passwords to be cracked begs disbelief.
That’s about as far from being a responsible, security conscious online retailer as you can get.
Furthermore, Catch of the Day apparently told the police, banks and credit card issuers about the incident. Why weren’t customers told as well?
Catch of the Day is one of what appears to be an endless parade of online retailers leaking data. Target in the United States lost 40million credit cards and 70 million personal records in a huge heist.
It is an increasingly common phenomenon that customers can do little about.
Keeping quiet about data breaches isn’t likely to help.
Consider white-label ticketing system company Vendini, which is trying to squirm its way out of the consequences of a data breach that took place in April last year with a settlement offer.
Vendini provides the “skinnable” back-end to theatres and other venues for online ticketing. By all accounts, it is very successful, selling millions of tickets.
If you haven't come across Vendini before, you're not alone. Not many credit card carrying customers seeking stage entertainment are familiar with Vendini's role in their personal credentials food chain.
Vendini is currently sending out over three million notices of settlement to people offering reimbursements of up to US$1,000 in case of loss.
That’s almost a year and a half after the data breach, and as idRADAR reports, the settlement notice is the first notification for many customers that their data has been breached.
Imagine being told by a strange company that your credit card details were snagged by an unknown criminal, way too late to do anything about it - and then being offered a paltry sum in compensation?
Unfortunately, avoiding being the catch of the day for hackers capitalising on online traders and service providers’ lack of security isn’t easy.
Even when you are able to buy things directly without having to log in, a large amount of customer information can still be captured. This ranges from payment method to shipping address, email address for receipts and order confirmation, customer names, usually a phone number. On top of that, it’s easy enough to snag other purchase-related information such as what customers look for on a site, where they came from and how often they visit.
This is very valuable information for an online business, but if not kept safe and secure, it could severely compromise customers’ privacy, especially if it is matched with leaked data from other outlets to profile online shoppers.
You could get around some of the above by using throwaway email addresses, stored or limited value debit cards, maybe even shopping online through a secure VPN. But the amount of effort required means it’s more convenient to hop on the train to the nearest store and pay cash in shops instead.
There’s enough evidence now to show that online merchants capture and keep huge amounts of data on their customers - and that this is stolen with depressing regularity as their security practices are found lacking.
That needs to change. It's time to introduce mandatory data breach reporting, with penalties that are large enough to encourage online businesses to spend more on security and to take better care of customer data.