Most Read Contributor in Australia, September 2016
Cupid Media (Cupid) operates over 35 niche
dating websites based on personal information including ethnicity,
religion and location. In June 2014, the Australian Privacy
Commissioner, Timothy Pilgrim, found Cupid failed to take
reasonable steps to secure personal information held on its dating
websites when hackers gained unauthorised access to Cupid
webservers and stole the personal information of about 254,000
The figure was reported to be 42 million users across the globe,
however, this figure was disputed by Cupid's managing director
Andrew Bolton. The personal information compromised at the time of
the hack included users' full name, date of birth, email
addresses and passwords.
The Commissioner found Cupid did not, at the time of the hack,
have password encryption processes in place. He said:
"password encryption is a basic security strategy that may
prevent unauthorised access to user accounts. Cupid insecurely
stored passwords in plain text, and I found that to be failure to
take reasonable security steps as required under the Privacy
The Commissioner also found Cupid had not securely destroyed or
permanently de-identified personal information that was no longer
required. The Privacy Act does not allow businesses to hold onto
personal information that is no longer required. Businesses have an
obligation to seek out unnecessary and out of date personal
information and must have systems in place for securely disposing
of that information.
The Commissioner said Cupid worked collaboratively with the
OAIC; cooperated with its investigation; and had taken major steps
to fix the problems.
Cupid Media Pty Ltd (Cupid) breached the Privacy Act by failing
to take reasonable steps to secure the personal information held by
its suite of dating websites.
The Privacy Commissioner welcomed Cupid's collaborative and
cooperative approach in working with the Office of the Australian
Information Commissioner (OAIC) and the significant privacy
remedial steps that it took in response.
The Privacy Commissioner found Cupid acted appropriately in
response to the data breach and the Privacy Commissioner's
investigation was closed.
Under the Australian privacy regime, there is no doubt that an
organisation's privacy obligations are a risk factor that need
to be managed.
As the Privacy Commissioner said: "hacks are a
continuing threat these days, and businesses need to account for
that threat when considering their obligation to keep personal
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).