Cupid media pty ltd. Cupid Media Pty Ltd: Own motion investigation report

Contact Us

Separating an entity's network into multiple functional and informational segments makes it more difficult for an intruder to propagate inside the network. Cupid identified that the ColdFusion vulnerability caused the data breach. While passwords may be guessed through computational 'brute-force' attacks, this becomes very difficult when strong hash algorithms and passwords are used. In response, Cupid took steps including applying the patch which fixed the vulnerability, which in turn stopped the attackers from obtaining further data. After considering the facts of the case, submissions from Cupid and the relevant provisions of the Privacy Act 1988 Cth Privacy Act , the Commissioner came to the view that Cupid had breached the Privacy Act by failing to take reasonable steps to secure personal information it held. However, as Cupid independently identified the patch and then applied it immediately, in the circumstances the Commissioner considered Cupid to have used patches effectively.

Cupid Media Pty Ltd: Own motion investigation report

On 21 January 2013, Cupid identified a rogue file on one of its servers, and that a hacker had attempted to gain access to a particular table within its databases. Section 6 provides that 'sensitive information' includes information or an opinion about an individual's racial or ethnic origin, political opinions, religious beliefs, or sexual orientation or practices. Cupid explained that there is no requirement for Cupid's users to verify their name to open an account. The Commissioner considers password reset processes to be reasonable security steps and good privacy practise generally. Intrusion detection systems, which use systems to monitor network or system activities for malicious activities and anomalous behaviour, can be an effective way of identifying and responding to known attack profiles.

Contact Us

Cupid advised that although the media had reported that 42 million users' accounts were compromised as a result of the data breach, this figure is not accurate because it includes 'junk' accounts and duplicate accounts. Following the data breach, Cupid also promptly initiated a password reset process for all its users. The Commissioner therefore found that more stringent steps were required of Cupid to keep this information secure than may be required of organisations that do not handle sensitive information. Cupid also worked with an external ColdFusion security contractor to ensure the vulnerability had been successfully patched and that the then current ColdFusion installation met best practise standards. In response, Cupid took steps including applying the patch which fixed the vulnerability, which in turn stopped the attackers from obtaining further data. Cupid explained that there is no requirement for Cupid's users to verify their name to open an account.

Contact Us

This was in response to media allegations that personal information of Cupid users had been acquired by unauthorised persons, and were found on a server operated by hackers, which Cupid confirmed. Cupid also worked with an external ColdFusion security contractor to ensure the vulnerability had been successfully patched and that the then current ColdFusion installation met best practise standards. Nature of personal information Cupid stated that as it does not store credit card information or bank account data, less stringent steps could be required of it than organisations that store financial or sensitive data. Further, Cupid confirmed that at the time of the data breach, it did not have any particular systems in place to identify accounts that were no longer needed or in use, or a process for how the destruction or de-identification of personal information related to such accounts would occur. Nature of personal information Cupid stated that as it does not store credit card information or bank account data, less stringent steps could be required of it than organisations that store financial or sensitive data. The Commissioner also recommended that Cupid regularly review its data security processes to continue to aim for best privacy practise that protects the personal information of its extensive user base. Separating an entity's network into multiple functional and informational segments makes it more difficult for an intruder to propagate inside the network.

Contact Us

The Commissioner's investigation focused on whether Cupid took reasonable steps to protect user information from misuse, loss, unauthorised access, modification or disclosure. Cupid advised that although the media had reported that 42 million users' accounts were compromised as a result of the data breach, this figure is not accurate because it includes 'junk' accounts and duplicate accounts. For this reason, Cupid considers that some of the full names and associated dates of birth involved in the data breach 'did not relate to real persons'. Personal information includes 'sensitive information'. This was in response to media allegations that personal information of Cupid users had been acquired by unauthorised persons, and were found on a server operated by hackers, which Cupid confirmed.

Cupid Media Pty Ltd: Own motion investigation report

While passwords may be guessed through computational 'brute-force' attacks, this becomes very difficult when strong hash algorithms and passwords are used. The Commissioner's investigation focused on whether Cupid took reasonable steps to protect user information from misuse, loss, unauthorised access, modification or disclosure. Cupid advised that the particular developer ordinarily sent Cupid an alert when updates and patches were made available, but did not do so in this instance. Had Cupid received an alert from the developer that the patch was available, but not applied the patch, the Commissioner may have considered there to have been a failure by Cupid to take reasonable security steps. The personal information that Cupid handles in relation to user accounts for these particular sites will include 'sensitive information' for the purposes of the Privacy Act. Since its launch in 2000, Cupid Media has helped more than 30 million people look for love and grown from strength to strength, becoming one of the top niche dating networks in the world.

Cupid Media Pty Ltd: Own motion investigation report

In other words, the personal information pertaining to a significant number of accounts was not in use by Cupid. However the compromised passwords were not salted or hashed, or otherwise encrypted, before the data breach. Rectification The Commissioner found that Cupid acted appropriately in responding to the data breach. Segmentation can also allow for different security measures to be applied to different types of information depending on its sensitivity and the risks associated with it. Had Cupid received an alert from the developer that the patch was available, but not applied the patch, the Commissioner may have considered there to have been a failure by Cupid to take reasonable security steps. However, the Commissioner noted that data other than credit and other financial information may be 'sensitive information' under the definition of that term in the Privacy Act. To comply with this obligation, an organisation must have had systems or procedures in place to identify information the organisation no longer needed, and a process for how the destruction or de-identification of the information would occur.

Contact Us

Further, effective use of patches can assist organisations to fix system vulnerabilities and other problems. This requires the organisation to release the information by its own action, intentionally or otherwise. The Commissioner considers password reset processes to be reasonable security steps and good privacy practise generally. . Cupid advised that the particular developer ordinarily sent Cupid an alert when updates and patches were made available, but did not do so in this instance. On 13 December 2013, the Australian Privacy Commissioner the Commissioner opened an own motion investigation into Cupid.