Australian Privacy Commissioner Timothy Pilgrim announced today Cupid Media breached the Privacy Act by failing to take reasonable steps to secure data held on its websites.
Cupid, based in Southport on the Gold Coast, is a niche operator in the Australian dating website market, running more than 35 niche dating websites such as ChristianCupid, MilitaryCupid, SingleParentLove and other sites based on ethnicity, religion and location.
Hackers gained unauthorised access to Cupid servers in January last year and stole the personal information of what was believed to be 42 million users across the globe.
This number included over 250,000 Australian Cupid site users, and the data stolen included their full name, date of birth, email addresses and passwords.
The Office of the Information Commissioner (OAIC) did not receive a data breach notification from Cupid Media, and only opened the investigation following media reports.
The investigation found that Cupid Media breached the Privacy Act by failing to take “reasonable steps” to secure users’ personal information.
“Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid Media insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act,” Pilgrim said in a statement.
In 2013, the company did not have password encryption processes in place, and it was found Cupid Media also failed to destroy or de-identify the details of people who had left the site.
“Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk. Organisations must identify out of date personal information and have a system in place for securely disposing of it,” Pilgrim said.
"Installation of malicious software (malware) detection and prevention software (including antivirus software) is a reasonably affordable security step that can assist organisations to prevent attacks by malicious hackers and the damage caused by malware," he said.
Pilgrim did note however that Cupid Media subsequently took a number “of remedial steps” including the adoption of password encryption following the breach.
The company also sent out notifications to all affected users and encouraging them to reset their passwords, and analysed server logs and tracked the hack method to ensure the breach had been contained.
Pilgrim's advice to Australians who use dating websites is to update their privacy settings regularly, change their passwords and “be careful” about the personal information they share online.
“You don’t want to become a victim of identity theft or a scam,” he said.
The Commissioner noted Cupid’s collaborative and cooperative approach in working with the Office of the Australian Information Commissioner (OAIC) during the investigation, as well as the significant remedial steps taken by Cupid in response to the data breach.
‘I encourage organisations to proactively notify the OAIC of a data breach so that we can work with them and assist with appropriate remediation if necessary’.
The OAIC has issued a data breach notification guide that outlines steps businesses and agencies can take to respond to, and mitigate the results of, data breaches.
For more information about how to recognise, avoid and report scams visit the SCAMwatch website.