Cupid Media data breach remedied following Privacy Act violation

The Privacy Commissioner found that Cupid Media had failed to take steps to secure personal information on its webservers that resulted in approximately 254,000 user information being stolen.

35 dating websites owned by Cupid Media were hacked in January last year, and as a result was found by the Australian Privacy Commissioner to have breached the Privacy Act.

The Commissioner launched its investigation at the end of last year into Cupid's data breach following media allegations that accounts and personal information including full names, date of birth, email addresses, and passwords of approximately 254,000 Australian Cupid users were stolen, and were found on a server operated by the hackers.

According to the Commissioner, under the Privacy Act Cupid had failed to take "responsible" steps to secure personal information it held.

In fact, Cupid admitted that because it does not store credit card information or bank account data, which it had identified was not "sensitive information", it took less stringent steps to secure the information it had on its servers.

However, the Commissioner noted that data other than credit and other financial information can be considered as "sensitive information" under the Privacy Act, especially because Cupid offers services via sites categories such as African dating, Asian dating, Latin dating, gay and lesbian dating, special interest, and religion.

"The personal information that Cupid handles in relation to user accounts for these particular sites will include 'sensitive information' for the purposes of the Privacy Act," the Commissioner said.

"The Commissioner therefore found that more stringent steps were required of Cupid to keep this information secure than may be required of organisations that do not handle sensitive information."

Despite the breach, Cupid was not issued any punishments because the Commissioner acknowledged the company took a "collaborative and cooperative approach" in working with the Office of the Australian Information Commissioner to solve the matter.

Cupid has since taken steps to remedy the hack, including identifying and installing patches and security updates as they become available; using antivirus software protection all of its servers; and segregating its database to ensure all database information is kept on a separate network to website information.

"Installation of malicious software (malware) detection and prevention software (including antivirus software) is a reasonably affordable security step that can assist organisations to prevent attacks by malicious hackers and the damage caused by malware," the Commissioner said.

Cupid also undertook a privacy and data security remediation program, which involved sending out notifications to all affected users and encouraging them to reset their passwords, and analysed server logs and tracked the hack method to ensure the breach had been contained.