The Australian Privacy Commissioner, Timothy Pilgrim, has found that Cupid Media Pty Ltd breached the Privacy Act by failing to take reasonable steps to secure personal information it held on over 35 niche dating websites based on personal profile including ethnicity, religion and location. It also failed to destroy the personal information it held in relation to accounts that were no longer in use.

The Commissioner commenced an Own Motion Investigation after media publicity that Cupid user records had been stolen and found on a server operated by hackers.

The categories of personal information compromised in the data breach consisted of full names, dates of birth (for some customers), email addresses and passwords.

Cupid estimated that the accounts and personal information of approximately 254,000 Australian users were compromised in the data breach.

The Commissioner noted that Cupid offers services via sites categorised as ‘African dating’, ‘Asian dating’, ‘Latin dating’, ‘gay and lesbian dating’, ‘special interest’ and ‘religion’. The personal information that Cupid handles in relation to user accounts for these particular sites will include ‘sensitive information’ for the purposes of the Privacy Act. The Commissioner therefore found that more stringent steps were required of Cupid to keep this information secure than may be required of organisations that do not handle sensitive information.

The Commissioner considered that the information and patch management steps and the testing and monitoring steps taken by Cupid were reasonable security steps for the purposes of NPP 4.1 in the circumstances.

The Commissioner found Cupid’s storage of passwords in plain text to be a failure to take reasonable security steps for the purpose of NPP 4.1.Password encryption strategies such as hashing and salting are basic security steps that were available to Cupid at the time of the data breach that may have prevented unauthorised access to user accounts.

Also, the Commissioner considered that prior to the data breach Cupid failed to take reasonable steps to destroy or permanently de-identify the personal information it held in relation to user accounts that were no longer in use or needed, in contravention of NPP 4.2.

Cupid advised that although the media had reported that 42 million users’ accounts were compromised as a result of the data breach, this figure was not accurate because it included ‘junk’ accounts and duplicate accounts. Cupid confirmed that at the time of the data breach, it did not have any particular systems in place to identify accounts that were no longer needed or in use, or a process for how the destruction or de-identification of personal information related to such accounts would occur.

The Commissioner noted that Cupid acted appropriately in response to the data breach including by:

• obtaining and applying a security patch to fix the vulnerability, and
• notifying affected individuals and ensuring they reset their passwords (and encouraging users to reset passwords for different online services where they used the same password as used for their Cupid account).