If you want a good idea of exactly what not to do in informing customers of a data breach involving your website, follow the lead set by Australian website Catch of the Day.
Catch of the Day, an Australian retail website offering discounted prices and deals on a range of products, suffered a severe security breach in early 2011. Names of customers, plus their delivery addresses, email addresses and encrypted passwords were compromised, alongside credit card information in some circumstances.
Astonishingly, it took Catch of the Day three years to inform their customers of the security breach. An email sent out to users on Friday evening local time suggested that anyone who registered an account before May 7, 2011 should change their passwords, as "technological advances" has lead to an increased risk of the encrypted passwords being uncovered.
The security practices at Catch of the Day have significantly improved since 2011, according to the site's general manager, Jason Rudy. In a statement released to ZDnet, he claimed the website's security systems have "undergone continual upgrades to keep in line with industry standards and best practices."
Rudy also apologized to customers, saying "we take data security seriously and have taken strong measures to protect their personal information."
At the time of the breach, Catch of the Day informed local police, banks, and credit card companies of what had occurred. It's unclear exactly why the website took three years to inform their customers that their data had been compromised, but it's bad practice from a company claiming to be Australia's number one online store.