Catch of the Day escapes penalty over data breach

Deals website Catch of the Day and travel insurance company Aussie Travel Cover have avoided penalties from the Privacy Commissioner for separate large-scale data breaches.

Last July Catch of the Day revealed it had suffered a breach in 2011 in which customer passwords and some credit card details were stolen. The company claims to have more than 2 million members.

It was widely criticised for waiting three years to inform its customers of the theft of their details, and similarly for not acting immediately to inform the Australian Privacy Commissioner or the federal police of the incident.

The Office of the Australian Information Commissioner today finalised its inquiry into the breach.

Privacy Commissioner Timothy Pilgrim said the OAIC would avoid taking any further action against the company because it had been assured measures had been implemented to prevent a future breach.

Catch of the Day told Pilgrim it had compiled an internal report with 20 recommendations on ways to improve the management of its customers' privacy.

Pilgrim said the company had three months to provide his office with a report on how those recommendations had been implemented.

He told Catch of the Day to "improve its processes for notifying customers of data breach incidents in future", pointing out the "significant delay" between when the company became aware of the incident and when it notified its customers. 

While stating he would not pursue further action, Pilgrim did say the OAIC may conduct future enquiries if it received complaints from those negatively affected by the breach.

No fines for Aussie Travel Cover

Travel insurance company Aussie Travel Cover similarly managed to avoid any penalties for its own data breach earlier this year, in which a hacker named Abdilo claimed to have obtained almost 900,000 customer details.

The files were later revealed to be corrupted.

Pilgrim today said in light of the "prompt action" taken by the company to address the breach - including notifying customers and remediating systems  - the OAIC would not take further action.

He revealed that only 133 insurance agents and four policy holders had their full customer record accessed in an uncorrupted format.

The OAIC's investigation into the breach is now closed, Pilgrim said, but could similarly be opened should his office receive complaints from affected customers.