Cupid Media, based on the Gold Coast, operates 35 ‘niche’ dating sites, including and (yep, we had to look that one up too). In January last year hackers accessed Cupid’s servers and stole the personal information of 254,000 Australians (including profile passwords), and allegedly about 40 million users worldwide.

Cupid didn’t own up, but the Privacy Commissioner found out and launched his own investigation. He concluded that the privacy laws were breached because Cupid failed to take reasonable steps to ensure the security of personal information it held, and to destroy or permanently deidentify personal information which was no longer required.

The Commonwealth Privacy Act includes the concept of ‘sensitive information’, which covers information such as sexual preference, religious or political beliefs, and racial or ethnic origin. Your obligations to keep sensitive information secure are much tighter than those for general personal information. Considering Cupid’s services focus on ‘special interests’, and that its websites include and, we can’t imagine a richer source of sensitive information. Perhaps if they also had

The Commissioner found that Cupid had clearly breached its privacy obligations. However, it got off this time because it had acted quickly to stop the breach, notified users, and worked with the Commissioner to implement procedures for deleting data which was no longer required. But beware, the Commissioner now has the ability to impose penalties of up to $1.7 million for serious or repeated breaches.