The Australian Privacy Commissioner (Commissioner) recently completed a report into allegations that personal information of users of the Cupid dating web site had been acquired by unauthorised persons.

The incident occurred prior to the 12 March 2014 replacement of the 10 National Privacy Principles (NPPs), with the Australian Privacy Principles (APPs).

NPP 4 (and new APP 11.1) requires that reasonable steps be taken to protect personal information from misuse and loss. In determining what were reasonable steps, the Commissioner looked at Cupid's particular circumstances, including:

  • the volume and sensitivity of the personal information handled; and
  • the likely impact in the event that the personal information was compromised.

Cupid argued that as it did not have credit card information or bank data, less stringent steps were required of it. However the Commissioner noted that Cupid may have sensitive information because of the various types of "special interest" web sites it operated. The Commissioner found that more stringent steps were required by Cupid to keep the information secured, than may be required of organisations which did not handle such sensitive information.

Salting and Hashing
"Hashing" is a process of calculating a number (the hash) based on other data, that does not include all of the data. With hashed passwords, the system stores the hash, not the password. A hashed password does not include the original password – instead when the user supplies their password, the system re-calculates the hash, and compares that hash with the hash it has stored. There are a lot of different ways the hash can be calculated. For storing passwords the method selected should be what is known as a strong cryptographic hashing algorithm – these make it harder to calculate both what the original data was, and what other (different) data might happen to result in the same hash.

"Salting" is a process of adding additional random data (the salt) to the password, before calculating the hash that will be stored in the database. The salt is also stored with the hash, so that the same salt can be added when the user's password is checked. The salt ensures that even if 2 users have the same password, they will probably not have the same hash. An attacker has to separately attack each user's password.

The Commissioner reviewed the information management tools and the testing and monitoring used by Cupid, and found that they were reasonable. However the Commissioner reached the conclusion that Cupid had not taken reasonable steps to prevent disclosure of passwords, because the passwords were stored in plain text. The Commissioner found that the passwords should have been hashed, including by using a salt, because these techniques are simple and basic means to limit the risk of unauthorised access (and these techniques have been well known and used for decades). The Commissioner specifically found that Cupid's storage of passwords in plain text was a failure to meet the required standard.

The Commissioner also found that there was failing in relation to the obligation to destroy or permanently de-identify personal information which was not being used – in this case junk, duplicate or abandoned accounts.

Once the issue was identified, Cupid took a significant number of steps including:

  • sending a notification to all affected users, encouraging users to reset passwords;
  • analysing server logs and tracking the hack method to ensure the breach had been contained;
  • conducting 3 full scans using different detectors to confirm there were no malicious files;
  • engaging a security team to conduct a full audit of the servers;
  • conducting a remediation program;
  • upgrading security measures;
  • reviewing what personal information was required to ensure that Cupid only collected and
  • retained what was necessary;
  • engaging privacy lawyers to improve processes generally.

The Commissioner found that these responsive steps were appropriate, but nevertheless found that there had been breaches in relation to the security of password storage, and the failure to de-identify information, as mentioned above.

What is regarded as reasonable will no doubt move with changes in technology. However each organisation should obtain suitable analysis of its own needs, security system and privacy policies, to avoid what could at the very least be a rather embarrassing disclosure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.