When it comes to the dangers of online dating, you are probably well aware of ‘lonely hearts’ scammers – those who extort money by pretending to be smitten with your digital self.
But online dating can be dangerous for a completely different, but equally as sinister reason: data theft.
Depending on your level of honesty, building a dating profile can involve disclosing a lot of sensitive information.
On Wednesday, Privacy Commissioner Timothy Pilgrim found the lax privacy protocols of a Gold Coast online dating company led to thousands of Australian users having their sensitive information stolen by hackers last year.
Cupid Media, which runs 36 global dating sites, failed to take reasonable steps to protect its data, and thus was found to have breached the Privacy Act.
In this year’s annual data breach report, US telco Verizon noted that data breaches like these are occurring globally “at a staggering rate”.
Based on worldwide data including from Australia, Verizon reported that 63,437 security incidents and 1,367 confirmed data breaches occurred in 2013. This represents an increase of more than 16,000 incidents and more than 700 confirmed breaches from the previous annual report.
Peter Clarke, a member of the Australian Privacy Foundation and a Melbourne-based barrister who specialises in the area of privacy law, says that online dating websites are inherently risky.
“The problem is, if you want to use [online dating sites] to the best advantage, it’s in your interests to provide the information that will get you the results,” Mr Clarke says.
Australia’s privacy law recognises that much of the information we share on these sites, such as our race, ethnicity, politics, religion and sexuality, is “sensitive” and in need of protection – something the Privacy Commissioner Commissioner confirmed in his investigation report.
For example, one of the Cupid Media websites that was hacked is called GayCupid. Having an account with this website could be sensitive information that a user might want to keep private.
Another lesson to be learned from Cupid Media is that anything you upload to your dating profile can persist in cyberspace long after you get bored with the website or find a long-term partner.
In Cupid’s case, the Privacy Commissioner found that much of the stolen data should have been deleted or de-identified long ago, but carelessly was not.
Lucky escape for Cupid
Mr Clarke says the consequences for Cupid Media were “very lenient” compared to what could have been imposed under recent amendments to the Privacy Act.
Cupid luckily missed the starting date for these new privacy laws. If it had committed the same breach after 12 March this year, it could have faced a fine up to $1.7 million, according to Mr Clarke.
Cupid was also doubly fortunate, in that the mandatory data breach notification law proposed by the previous Labor Government was never passed.
This Act would have imposed stricter US-style requirements on Australian companies to notify their users and the Privacy Commissioner immediately after a data breach occurs.
If this had been place, Mr Clarke says a breach like that at Cupid could have been resolved quicker, with users better informed.
“The benefit of a mandatory notification process is that it sets down a timeframe, and what this [report] doesn’t tell you is when Cupid Media notified.
“They really should be saying more than just, ‘There’s been a breach. Change your passwords.’ They really should be saying what the nature of the breach was,” Mr Clarke says.
Fortunately for Cupid, the law did not pass, and – despite being reintroduced by a Labor Senator in March – is likely to be blocked by the Abbott Government.
“Both parties are playing politics on it, but it’s a classic example that, if there had been mandatory notification of a data breach, this [Cupid Media case] would fall right in the middle of an obligation to do that,” Mr Clarke says.