Cupid Media (Cupid) operates over 35 niche dating websites based on personal information including ethnicity, religion and location. In June 2014, the Australian Privacy Commissioner, Timothy Pilgrim, found Cupid failed to take reasonable steps to secure personal information held on its dating websites when hackers gained unauthorised access to Cupid webservers and stole the personal information of about 254,000 Australian users.

The figure was reported to be 42 million users across the globe, however, this figure was disputed by Cupid's managing director Andrew Bolton. The personal information compromised at the time of the hack included users' full name, date of birth, email addresses and passwords.

The Commissioner found Cupid did not, at the time of the hack, have password encryption processes in place. He said: "password encryption is a basic security strategy that may prevent unauthorised access to user accounts. Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act".

The Commissioner also found Cupid had not securely destroyed or permanently de-identified personal information that was no longer required. The Privacy Act does not allow businesses to hold onto personal information that is no longer required. Businesses have an obligation to seek out unnecessary and out of date personal information and must have systems in place for securely disposing of that information.

The Commissioner said Cupid worked collaboratively with the OAIC; cooperated with its investigation; and had taken major steps to fix the problems.

Key points

  • Cupid Media Pty Ltd (Cupid) breached the Privacy Act by failing to take reasonable steps to secure the personal information held by its suite of dating websites.
  • The Privacy Commissioner welcomed Cupid's collaborative and cooperative approach in working with the Office of the Australian Information Commissioner (OAIC) and the significant privacy remedial steps that it took in response.
  • The Privacy Commissioner found Cupid acted appropriately in response to the data breach and the Privacy Commissioner's investigation was closed.

Key takeaway

Under the Australian privacy regime, there is no doubt that an organisation's privacy obligations are a risk factor that need to be managed.

As the Privacy Commissioner said: "hacks are a continuing threat these days, and businesses need to account for that threat when considering their obligation to keep personal information secure".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.