Australian online dating operator Cupid Media breached the Privacy Act last year when its lax security provisions were exploited by hackers and the personal details of up to 254,000 of its customers stolen, the Privacy Commissioner has found.
Cupid Media operates a number of niche dating forums based on ethnicity, sexual orientation and religion.
In January 2013, hackers exploited a vulnerability in the Adobe ColdFusion server platform to gain access to Cupid Media's webservers. They were then able to upload a rogue ColdFusion file to the servers to run repeated SQL queries and gain unauthorised access to the contained customer data.
What they found was a treasure trove of full names, addresses, dates of birth and passwords for Cupid’s user base, stored as plain text. The nature of the dating service also meant details pertaining to users' personal and religious orientations were exposed.
While media reports late in 2013 suggested that as many as 42 million user accounts had been exposed, the company calculated that after ‘junk’ and duplicate profiles were taken into account, that figure is more like 254,000.
The OAIC today ruled the event constituted a breach of the national privacy principles – which were superseded in March 2013 by new legislation - as Cupid Media “failed to take reasonable steps to ensure the security of the personal information that it held” and “ .. to destroy or permanently de-identify the personal information it held”.
In a ruling that casts some extra light on what will and won’t pass the OAIC’s critical ‘reasonability’ test in a data security context, the Commissioner said Cupid’s failure to encrypt stored passwords undermined its responsibility to protect the privacy of its customers.
“Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act,” Privacy Commissioner Timothy Pilgrim said in a statement.
Cupid was also reprimanded for holding onto the contents of inactive accounts and data it doesn’t need.
“Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk. Organisations must identify out of date or unrequired personal information and have a system in place for securely disposing with it,” Pilgrim said.
The OAIC confirmed Cupid Media has since hashed all user passwords with a unique salt, and implemented daily hacking and vulnerability scans, with a focus on ColdFusion.
It commended the company for notifying all affected users and automatically resetting their passwords, however pointed out that it missed the opportunity to voluntarily let the OAIC itself know about the incidence – which the Office was alerted to in the media.
Earlier this year Pilgrim told iTnews that in the absence of mandatory data breach notification laws, companies that come forward early with news of a breach are likely to be looked upon favourably for their efforts.
Because the incident took place prior to the introduction of new privacy principles in March, Cupid Media will not be liable for financial penalties as a result of the ruling.
Adobe, the owner of the ColdFusion product, has been contacted for comment.
A prior version of this story said 245,000 Australian users had been affected due to a typo in the OAIC media release. This has been corrected to 254,000.