Cupid Media "breached Privacy act" after storing users' passwords in plain text

Filed Under: Data loss, Featured, Law & order, Privacy

Heart. Image courtesy of Shutterstock.The Australian Privacy Commissioner, Timothy Pilgrim, has ruled that Cupid Media Pty Ltd breached the Privacy Act following a data breach which saw over 40 million customer records exposed.

The company, which operates over 35 niche websites, was investigated after members' full names, dates of birth, email addresses, and passwords were found on a server operated by hackers.

The Commissioner's investigation, which began on December 13 last year, concluded that the company had failed "to take reasonable steps to secure personal information it held."

Cupid itself admitted that its security measures were not as stringent as those seen within organisations that hold financial or other sensitive data because, it said, it didn't store credit card or banking data.

The Commissioner, however, pointed out that other forms of personal data can and should be considered as sensitive, highlighting how Cupid offers services themed around specific categories such as ethnic dating, gay and lesbian dating, religious matches and 'special interest'.

According to the ruling:

The personal information that Cupid handles in relation to user accounts for these particular sites will include 'sensitive information' for the purposes of the Privacy Act.

The Commissioner therefore found that more stringent steps were required of Cupid to keep this information secure than may be required of organisations that do not handle sensitive information.

But it's not all bad for Cupid - the company was told its patch management policy and implementation of security software was sufficient, and that it employed adequate testing and monitoring steps. The Commissioner also said that the company had acted responsibly in dealing with the breach once it became known.

It was noted, however, that Cupid retained personal information that it did not require.

The company had dismissed reports that the breach had affected 42 million account holders, including those of 254,000 Australians, saying that "this figure is not accurate because it includes 'junk' accounts and duplicate accounts."

Nevertheless, the Commissioner said:

Cupid failed to take reasonable steps to destroy or permanently de-identify the personal information it held in relation to user accounts that were no longer in use or needed.

The investigation also revealed a major issue surrounding Cupid's storage of passwords - they were stored in plain text:

Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act.

The company did enforce password resets after the breach, and advised users that they should also change their passwords elsewhere if they were in the habit of reusing them.

Additionally, Cupid took a "collaborative and cooperative approach" in working with the Office of the Australian Information Commissioner in order to rectify the situation, including the segregation of its database to ensure that personal information was not available on the public-facing website, and the analysis of its server logs to ensure that the original vulnerability (a missed patch for ColdFusion) was fixed.

The investigation was therefore closed and no punishment given to Cupid.

Now seems like a good time for us to remind you (and, in turn, for you to remind your friends and family) that every online account should have a different password. It's so important that it's one of our 3 essential security tasks you can do today.

It's not the first time that online daters have been caught out by a breach.

Love may be blind but the hackers aren't - so be careful where you stick your personal information.


Image of heart courtesy of Shutterstock.

, , , , ,

You might like

4 Responses to Cupid Media "breached Privacy act" after storing users' passwords in plain text

  1. Barney Laurance · 26 days ago

    Any news on whether Cupid Media is planning to start using proper password hashing, or has done so already?

  2. Anonymous · 26 days ago

    Cupid media does not own OkCupid, Match.com does. It wasn't involved in the data breach.

  3. Slashee the Cow · 26 days ago

    So the Australian Privacy Commisioner doesn't like it when you store passwords in plain text? I should get them on to one or two Australian based online stores I've come across. I don't know whether they actually store passwords in plaintext (haven't looked at their database), but their lost password function just email your your password in plaintext (which is also a stupid idea, and not just because it means they're storing passwords in either plaintext or a way that they can easily be converted back to plaintext).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.