Dating site exposed 254,000 Aussie lonely hearts

BEN GRUBB
Last updated 16:55 25/06/2014
LinkedIN
HEARTBURN: Cupid Media managing director Andrew Bolton.

Relevant offers

Australian online dating company Cupid Media breached the Privacy Act by failing to take reasonable steps to secure the personal information of 254,000 Australians held on its dating websites, the privacy commissioner has found.

Cupid, run out of Southport on the Gold Coast, operates more than 35 niche dating websites based on users' personal profile including ethnicity, religion and location. In January last year, hackers gained unauthorised access to Cupid web servers and stole the personal information of what was reported to be 42 million users across the globe.

The 42 million figure was, however, disputed by Cupid managing director Andrew Bolton.  When the breach was made public in November he said the number of ''active members'' affected was ''considerably less than 42 million''. How many non-active members details were breached was never disclosed.

Before Wednesday the number of Australians exposed was also unknown until it was revealed by the Privacy Commissioner. The personal information included full name, date of birth, email addresses and passwords.

Privacy Commissioner Timothy Pilgrim said businesses must remain vigilant about information security.

''This case highlights the importance of organisations conducting ongoing testing and maintenance of security systems to minimise the risk of a hack succeeding, and to ensure they are able to respond quickly if one occurs,'' Mr Pilgrim said.

''Cupid's vulnerability testing processes did allow it to identify the hack and respond quickly. Hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure.''

The investigation found that at the time of the incident, Cupid did not have password encryption processes in place.

''Password encryption is a basic security strategy that may prevent unauthorised access to user accounts,'' Mr Pilgrim said. ''Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act.''

Ad Feedback

Mr Pilgrim said the incident also demonstrated the importance of securely destroying or permanently de-identifying personal information that is no longer required. He found that Cupid had not done this.

''Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk,'' he said.

''Organisations must identify out of date or unrequired personal information and have a system in place for securely disposing of it.''

The commissioner said Cupid worked collaboratively and co-operatively with his office during the investigation.

Correction: The headline and article initially stated 245,000 Australians were exposed. This was incorrect and has been fixed. The error came about due to an error by the privacy commissioner's media office.

Comments

Special offers

Featured Promotions

Sponsored Content

My Career