Daily deals website Catch of the Day has escaped any penalty for a data breach, which saw a significant amount of the financial and private details of its customers stolen.

The Office of the Australian Information Commissioner (OAIC) today finalised its inquiry into the incident, which became public in June 2014.

While privacy commissioner Timothy Pilgrim "expressed concern about the size of the breach", he has been assured that because measures have been put in place to stop it happening again "the OAIC does not intend to take any further action in relation to the incident at this time".

Mr Pilgrim also recommended that Catch of the Day "improve its processes for notifying customers of data breach incidents in future", noting concern at "the significant delay between [Catch of the Day] becoming aware of the incident and notifying affected individuals".

Catch of the Day is a very popular online shopping website, which claims to have more than 2 million members and nearly 15 per cent of Australia's retail internet traffic.

Timeline of a data breach In 2011, Catch of the Day is hacked and personal information and credit card numbers are stolen.

In 2011, Catch of the Day is hacked and personal information and credit card numbers are stolen. In June 2014, Catch of the Day emails customers, telling them of the data breach, and says it has reported the hack to AFP.

In June 2014, Catch of the Day emails customers, telling them of the data breach, and says it has reported the hack to AFP. In July 2014, OAIC is told about the breach a month before the public. When it becomes public, OAIC requests more information.

In July 2014, OAIC is told about the breach a month before the public. When it becomes public, OAIC requests more information. In July 2014, AFP says nothing was reported from Catch of the Day in 2011.

In July 2014, AFP says nothing was reported from Catch of the Day in 2011. In June 2015, OAIC delivers findings of investigation, asks the company to prove it has fixed up its systems.

Many people were highly critical of Catch of the Day's handling of the incident back in June 2014.

The company informed customers late on a Friday afternoon that their personal information, including possible financial information like credit cards, had been stolen.

Catch of the Day was aware of the incident for more than three years before the company decided to let customers know it was hacked.

In a statement to the media in June 2014, Catch of the Day admitted its systems had been breached.

"An illegal cyber attack in early 2011 saw hashed [encrypted] passwords and user information taken from Catchoftheday.com.au's database," the company's statement read.

"Catch of the Day acted swiftly at the time to shut down the attack and reported it to the Australian Federal Police, banks and credit card companies, who took action to protect consumers, such as cancelling affected cards."

AFP claims no complaint received from Catch of the Day

This statement later turned out to be misleading, after the Australian Federal Police denied ever receiving a complaint.

"AFP records do not show that any complaint was received in 2011 from the Catch of the Day website," an AFP spokesperson said.

Last year, Mr Pilgrim also admitted that Catch of the Day had only informed him a month before notifying its customers.

Catch of the Day had no legal obligation or requirement to inform the privacy commissioner of the data breach.

Space to play or pause, M to mute, left and right arrows to seek, up and down arrows for volume. Listen Duration: 3 minutes 39 seconds 3 m 39 s Privacy Commissioner fails to impose penalty on Catch of the Day website Download 6.7 MB

Despite losing customer details, taking more than three years to admit to being hacked, and misleading the public, the only consequence of the data breach is more paperwork for the company.

Catch of the Day told Mr Pilgrim it had completed an internal report, which included 20 recommendations to improve the way the company manages its customers' privacy.

Mr Pilgrim said Catch of the Day now has three more months to provide the office with another report about the implementation of those recommendations.

However the privacy commissioner has left open the door to further investigations, if requested by affected customers.

"The OAIC may conduct further enquiries if complaints are received from people who have been adversely affected by this incident," a statement said.

Aussie Travel Cover also escapes penalty for data breach

The privacy commissioner today also finalised its inquiries into a data breach of travel insurance company Aussie Travel Cover.

Aussie Travel Cover's database was breached by a young computer hacker, known online as Abdilo, in December last year.

The privacy commissioner said: "In light of the prompt action taken by [Aussie Travel Cover] to respond to the breach, including notification to affected individuals, and remedial action taken to prevent future breaches, the OAIC does not intend to take any further action in relation to this incident at this time."

The ABC revealed in January the hack could potentially be one of the largest in Australia's history.

However, Mr Pilgrim said the attack was much smaller than initial reports had made out.

"133 insurance agents and four policyholders had their full [Aussie Travel Cover] record extracted in an uncorrupted format as a result of the attack," the privacy commissioner's statement said.

The hacker, Abdilo, told the ABC he had downloaded Aussie Travel Cover's database by using what is known as an SQLi attack.

He provided to the ABC a partly redacted subset of the database he had stolen. While the database appeared to be partly scrambled, many of the details in it were accurate.

When contacted by the ABC, several Aussie Travel Cover customers were shocked to hear their details had been stolen, and confirmed with the ABC that they had been recent customers of Aussie Travel Cover.

One customer was particularly angry that the database had the records of policy he had purchased for one of his children.

The privacy commissioner has now closed its investigation into Aussie Travel Cover, but like with Catch of the Day said it could be reopened if needed.