A cyber attack against dating website operator Cupid Media, which led to the details of 254,000 Australian users being stolen, could have been prevented if the company had password encryption measures, found Australian Privacy Commissioner Timothy Pilgrim.
According to Pilgrim, the cyber criminals got away with 254,000 full names, email addresses and passwords.
His investigation found that Cupid Media breached the Privacy Act by failing to take “reasonable steps” to secure users’ personal information. In 2013, the company did not have password encryption processes in place.
“Password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid Media insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act,” Pilgrim said in a statement.
- Scams, fraud increased in Australia during 2013
- What’s it like to be a `Nigerian Scam’ victim?
- How to avoid a Privacy Act breach
In addition, Cupid Media failed to destroy or de-identify the details of people who had left the site.
“Holding onto old personal information that is no longer needed does not comply with the Privacy Act and needlessly places individuals at risk. Organisations must identify out of date personal information and have a system in place for securely disposing of it,” Pilgrim said.
The Office of the Information Commissioner (OAIC) did not receive a data breach notification from Cupid Media. It opened the investigation following media reports.
However, Pilgrim said that Cupid Media subsequently took a number “of remedial steps” including the adoption of password encryption following the breach.
Cupid Media operates more than 35 dating websites that are based on personal preferences including religion and location.
His advice to Australians who use popular dating sites – such as RSVP and eHarmony – is to update their privacy settings regularly, change their passwords and “be careful” about the personal information they share online. This is because scammers, who pretend to be single, have created fake profiles on these sites to try and obtain money from potential victims.
“You don’t want to become a victim of identity theft or a scam,” he said.
Follow Hamish Barwick on Twitter: @HamishBarwick
Read more: AFP apologises for privacy breach