Australian dating company Cupid Media has been found to have breached privacy laws, after the information of 245,000 Australians was stolen by hackers.
Last November, security expert Brian Krebs revealed that hackers had accessed the personal information of 42m worldwide users from Cupid Media.
Krebs found that the stolen information was all plaintext, meaning no encryption was in place, and included names, email addresses, DOBs and passwords of users from around the world.
Cupid Media MD Andrew Bolton disputed the number of affected users, saying it was “considerably less than the 42 million” Krebs had quoted.
And now Australian Privacy Commissioner Timothy Pilgrim has found Cupid Media to be in breach of the country’s privacy laws.
He said the online dating company failed to properly secure their user information with encryption.
Pilgrim said: “Password encryption is a basic security strategy that may prevent unauthorised access to user accounts.
“Cupid insecurely stored passwords in plain text, and I found that to be a failure to take reasonable security steps as required under the Privacy Act.”
Cupid Media are an Australian-based company who own over 30 niche dating sites, including BrazilianCupid.com, MilitaryCupid.com and AussieCupid.com.
The Privacy Commissioner also said Cupid Media didn’t delete information that was no longer used by the company – meaning the amount of personal information stored built up.
As Brian Krebs said, although the users might not be “active”, many people reuse the same information on other sites, so a breach on one site could compromise the security of many others.
Pilgrim said:
”Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk.
“Legally, organisations must identify out-of-date or unrequired personal information and have a system in place for securely disposing with it.
Pilgrim said Cupid Media had since taken necessary steps to fix the problem.
“Cupid’s vulnerability-testing processes did allow it to identify the hack and respond quickly.
“Hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure.”