The Australian Privacy Commissioner, Timothy Pilgrim, has found that Cupid Media Pty Ltd (Cupid) breached the Privacy Act 1988 by failing to take reasonable steps to secure the personal information held on its dating websites.
Cupid operates over 35 niche dating websites based on personal profiles including ethnicity, religion and location. In January 2014, hackers gained unauthorised access to Cupid webservers and stole the personal information of approximately 254,000 Australian Cupid site users. The personal information compromised included full name, date of birth, email addresses and passwords.
The Commissioner said that businesses must remain vigilant about information security. This case highlights the importance of organisations conducting ongoing testing and maintenance of security systems to minimise the risk of a hack succeeding, and to ensure they are able to respond quickly if one occurs. Cupid’s vulnerability testing processes did allow it to identify the hack and respond quickly. Hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure.
However, the investigation found that, at the time of the incident, Cupid did not have password encryption processes in place.
‘Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act,’ Mr Pilgrim said.
The incident also demonstrates the importance of securely destroying or permanently de-identifying personal information that is no longer required. The Commissioner found that Cupid had not done so.
‘Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk. Organisations must identify out of date or unrequired personal information and have a system in place for securely disposing with it.’
‘I would also remind consumers using internet dating sites to regularly update your privacy settings, change your passwords and be careful about the personal information you share. You don’t want to become a victim of identity theft or a scam.’
The Commissioner noted Cupid’s collaborative and cooperative approach in working with the Office of the Australian Information Commissioner (OAIC) during the investigation, as well as the significant remedial steps taken by Cupid in response to the data breach.
‘I encourage organisations to proactively notify the OAIC of a data breach so that we can work with them and assist with appropriate remediation if necessary’. The OAIC has issued a data breach notification guide that outlines steps businesses and agencies can take to respond to, and mitigate the results of, data breaches.