Tough love: Cupid Media struck by Privacy Commissioner for breaching privacy laws

Online dating company Cupid Media has come under fire from the Australian Privacy Commissioner for breaching privacy laws after it was hacked last year.

Commissioner Timothy Pilgrim found the company failed to take reasonable steps to secure personal information held on its dating websites when hackers gained unauthorised access to Cupid webservers and stole the personal information of about 254,000 Australian Cupid site users in January 2013.

Although new privacy laws were put in place on March 12 of this year, the data breach occurred in January 2013 and was found to have breached the Privacy Act 1988.

Cupid Media operates over 35 niche dating websites based on personal information including ethnicity, religion and location. The personal information compromised at the time of the hack included users’ full name, date of birth, email addresses and passwords.

At the time of the incident, Pilgrim found Cupid Media did not have password encryption processes in place.

“Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act,” said Pilgrim in a statement.

Pilgrim also found Cupid had not securely destroyed or permanently de-identified personal information that was no longer required.

“Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk. Organisations must identify out of date or unrequired personal information and have a system in place for securely disposing with it,” said Pilgrim.

“Hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure,” he said.

AVG security advisor Michael McKinnon told SmartCompany when a website developer is developing a user login, they must design it so the password cannot be decrypted. Decryption is the process of converting encrypted data back into its original form, so it can be understood.

“If your website gets compromised and passwords get stolen, criminals can then work out what your user’s plain text passwords are,” says McKinnon.

The danger then, he says, is when users reuse passwords for different accounts, hackers have the information to hack those other accounts.

McKinnon says there is no proper standard for how websites must encrypt passwords to avoid decryption, and web developers will use many different methods.

He says small business should ask ‘searching questions’ of their web developers to safeguard themselves.

“This term is really good advice for small business who rely on web developers or third parties to control the security of their website,” says McKinnon.

“Small businesses tend to be taken for granted in these relationships and I implore all small business owners to take a more investigative approach when it comes to security.”

McKinnon says the best approach is to ask open ended questions of web developers, such as “how are you keeping my business safe?”

He says user logins create an important trust relationship between a business and its clients, “and it’s a trust you can’t betray.”

According to IT Wire, the Office of the Information Commissioner did not receive a data breach notification from Cupid Media at the time of the hack, and only opened the investigation following media reports.

Cupid Media was contacted for comment, but SmartCompany did not receive a response prior to publication.