The official report on last year's data breach at Australian "dating site" operator Cupid Media Pty Ltd, released last week, makes for interesting reading. Privacy Commissioner Timothy Pilgrim has of course judged Cupid's information security practices under the provisions of the Privacy Act in force at the time — and found them wanting — but it indicates how he might judge organisations under the new laws that came into force on 12 March this year.
Many will fail to pass the test.
Cupid's story follows the usual narrative: unpatched vulnerability, vulnerability exploited, customer database compromised, personal information stolen.
Full names, some dates of birth, email addresses, and passwords of 254,000 active Australian customers were exposed — out of a total of 42 million compromised account details subsequently published online.
Cupid should be congratulated for discovering the breach after just three days — most data breaches are discovered months after the fact, and usually by third parties. Perhaps they also deserve a gentle pat on the head for notifying their customers — although why we praise companies for deigning to follow the most basic of ethical practices is beyond me.
But Cupid deserves all the criticism they get from Pilgrim, and more, for storing passwords in plain text, for failing to destroy personal information that was no longer needed, and for trying to downplay their data protection responsibilities.
"Password encryption strategies such as hashing and salting are basic security steps that were available to Cupid at the time of the data breach that may have prevented unauthorised access to user accounts," Pilgrim writes.
Failing to take what Pilgrim describes as "simple and effective" techniques was therefore "a failure to take reasonable security steps" as required by privacy law.
"Cupid advised that although the media had reported that 42 million users' accounts were compromised as a result of the data breach, this figure is not accurate because it includes 'junk' accounts and duplicate accounts," Pilgrim writes. Nice try, Cupid.
"In other words, the personal information pertaining to a significant number of accounts was not in use by Cupid," he continues. "Further, Cupid confirmed that at the time of the data breach, it did not have any particular systems in place to identify accounts that were no longer needed or in use, or a process for how the destruction or de-identification of personal information related to such accounts would occur."
That scored Cupid a second "failed to take reasonable steps" slap.
Pilgrim's findings set what I think is a reasonable standard for "reasonable steps". There's nothing new here. We're looking at well-known risks with well-known mitigations.
Given the number of data breaches hitting the news these days, even the non-technical managers of online businesses should be alert to the issues and asking their technical staff some tough questions. If they're not, they're not doing their jobs.
Pilgrim has also given us a timely reminder that personal data is much more than mere financial data.
"Cupid stated that as it does not store credit card information or bank account data, less stringent steps could be required of it than organisations that store financial or sensitive data," Pilgrim wrote.
"However, the Commissioner noted that data other than credit and other financial information may be 'sensitive information' under the definition of that term in the Privacy Act. Particularly, the Commissioner noted that Cupid offers services via sites categorised as 'African dating', 'Asian dating', 'Latin dating', 'gay and lesbian dating', 'special interest' and 'religion'. The personal information that Cupid handles in relation to user accounts for these particular sites will include 'sensitive information' for the purposes of the Privacy Act. The Commissioner therefore found that more stringent steps were required of Cupid to keep this information secure than may be required of organisations that do not handle sensitive information."
Indeed. Credit card numbers can be changed, and individuals are generally protected from financial loss. The sooner we drop credit card numbers as the benchmark for data protection the better.
Had Cupid's data breach happened after 12 March 2014, when Australia's privacy law reforms gave the privacy commissioner the power to impose financial penalties, the company could well have copped a substantial fine.
I wouldn't have been standing in Pilgrim's way. It's becoming clear that companies won't proactively sort out their data protection — that is, the protection of OUR data — until they start seeing a few heads on spikes.
That's where I disagree with Pilgrim. Cupid didn't suffer a penalty this time, not just because the new laws didn't apply, but also because, as ZDNet reported, "the Commissioner acknowledged the company took a 'collaborative and cooperative approach' in working with the Office of the Australian Information Commissioner to solve the matter."
Yes, but nearly a year after the data breach had happened, and only once all of the data had been exposed and OAIC had been in touch to find out what was going on.
I'd like to think that the Privacy Commissioner, armed with new laws, will put a bit more stick about. Once my Cupid account and the full details of my goat fetish are out there, there's no going back.
But it won't happen.
It's clear that Australia's favourite Attorney-General, Senator George Brandis QC, sees internet and digital law through a prism of how it might become a burden for doing business — from restrictions on racial hate speech inconveniencing the employees of major media companies, to the unknown but largely inflated impact of copyright infringers inconveniencing the overpriced and unimaginative middle-men who sit between you and the creators your favourite television series.
The Privacy Commissioner will need resources to investigate and prosecute the many continuing failures to protect our personal data. It took six months for the report on Cupid to see the light of day. I don't imagine Senator Brandis will be keen on coughing up the funds to increase the pace or volume of that work.