The Privacy Commissioner has recently found Cupid Media Pty Ltd (Cupid) in breach of the National Privacy Principles for failing to take reasonable steps to secure personal information on its internet dating sites, and for failing to adequately dispose of personal information that was no longer in use.

Cupid operates more than 35 niche dating websites such as ChristianCupid, MilitaryCupid, SingleParentLove and other sites based on ethnicity, religion and location.

Hackers gained access to the sites in January 2013, stealing the personal information (such as names, dates of births, email addresses and passwords) of approximately 254,000 Australian users.

Cupid had vulnerability testing processes in place and a password reset program, however they did not have password encryption processes in place, even though such strategies were available at the time of the data breach. Due to the fact that Cupid handled sensitive personal information, the Commissioner found that more stringent steps were required to keep this information safe.

Cupid also did not have a process in place for destroying or de-identifying information.

The case reiterates that, in the Commissioner’s view:

  • businesses must remain vigilant about information security, emphasising the need for organisations to conduct ongoing testing and maintenance of security systems and breach response procedures;
  • password encryption is considered to be a basic security strategy, and failure to have such a process in place jeopardises your privacy compliance; and
  • you must take steps to destroy or de-identify personal information that is no longer required.

From 12 March 2014 (under the new Australian Privacy Principles), penalties for privacy non-compliance can extend to $1.7 million.