Cupid Media “breached Privacy act” after storing users’ passwords in plain text

The Australian Privacy Commissioner, Timothy Pilgrim, has ruled that Cupid Media Pty Ltd breached the Privacy Act following a data breach which saw over 40 million customer records exposed.

The company, which operates over 35 niche websites, was investigated after members’ full names, dates of birth, email addresses, and passwords were found on a server operated by hackers.

The Commissioner’s investigation, which began on December 13 last year, concluded that the company had failed “to take reasonable steps to secure personal information it held.”

Cupid itself admitted that its security measures were not as stringent as those seen within organisations that hold financial or other sensitive data because, it said, it didn’t store credit card or banking data.

The Commissioner, however, pointed out that other forms of personal data can and should be considered as sensitive, highlighting how Cupid offers services themed around specific categories such as ethnic dating, gay and lesbian dating, religious matches and ‘special interest’.

According to the ruling:

The personal information that Cupid handles in relation to user accounts for these particular sites will include 'sensitive information' for the purposes of the Privacy Act.

The Commissioner therefore found that more stringent steps were required of Cupid to keep this information secure than may be required of organisations that do not handle sensitive information.

But it’s not all bad for Cupid – the company was told its patch management policy and implementation of security software was sufficient, and that it employed adequate testing and monitoring steps. The Commissioner also said that the company had acted responsibly in dealing with the breach once it became known.

It was noted, however, that Cupid retained personal information that it did not require.

The company had dismissed reports that the breach had affected 42 million account holders, including those of 254,000 Australians, saying that “this figure is not accurate because it includes ‘junk’ accounts and duplicate accounts.”

Nevertheless, the Commissioner said:

Cupid failed to take reasonable steps to destroy or permanently de-identify the personal information it held in relation to user accounts that were no longer in use or needed.

The investigation also revealed a major issue surrounding Cupid’s storage of passwords – they were stored in plain text:

Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act.

The company did enforce password resets after the breach, and advised users that they should also change their passwords elsewhere if they were in the habit of reusing them.

Additionally, Cupid took a “collaborative and cooperative approach” in working with the Office of the Australian Information Commissioner in order to rectify the situation, including the segregation of its database to ensure that personal information was not available on the public-facing website, and the analysis of its server logs to ensure that the original vulnerability (a missed patch for ColdFusion) was fixed.

The investigation was therefore closed and no punishment given to Cupid.

Now seems like a good time for us to remind you (and, in turn, for you to remind your friends and family) that every online account should have a different password. It’s so important that it’s one of our 3 essential security tasks you can do today.

It’s not the first time that online daters have been caught out by a breach.

Love may be blind but the hackers aren’t – so be careful where you stick your personal information.

Image of heart courtesy of Shutterstock.