An online dating company has been found in breach of privacy laws after hackers accessed the personal information of about 245,000 of its Australian users.
Australian Privacy Commissioner Timothy Pilgrim found Cupid Media breached the Privacy Act by failing to take reasonable steps to secure data held on its websites.
Cupid operates more than 35 niche dating websites such as ChristianCupid, MilitaryCupid, SingleParentLove and other sites based on ethnicity, religion and location.
Hackers gained unauthorised access to Cupid webservers in January last year and stole the personal information of the Australian Cupid site users.
It included full name, date of birth, email addresses and passwords.
Commissioner Pilgrim said the investigation found that at the time of the incident, Cupid did not have password encryption processes in place.
“Password encryption is a basic security strategy that may prevent unauthorised access to user accounts,” he said.
“Cupid insecurely stored passwords in plain text, and I found that to be a failure to take reasonable security steps as required under the Privacy Act.”
He said the incident also demonstrated the importance of securely destroying or permanently de-identifying personal information when it is no longer required.
Commissioner Pilgrim found Cupid had not done so.
“Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk,” he said.
“Legally, organisations must identify out-of-date or unrequired personal information and have a system in place for securely disposing with it.
Businesses, customers must be vigilant: Pilgrim
“I would also remind consumers using internet dating sites to regularly update your privacy settings, change your passwords and be careful about the personal information you share.
“You don’t want to become a victim of identity theft or a scam.”
The commissioner said the company had cooperated with the investigation and had taken major steps to fix the problems.
He said businesses must remain vigilant about information security.
“Cupid’s vulnerability-testing processes did allow it to identify the hack and respond quickly,” he said.
“Hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure.”
The commissioner said the company had addressed the office’s concerns and it had closed the investigation.
Cupid has not yet responded to the ABC’s inquiries.