In an age where digital platforms increasingly shape our relationships, the Tea Dating Advice app bills itself as a "must-have app helping women avoid red flags before the first date with dating advice, and showing them who's really behind the profile of the person they're dating." While the "anonymous" reviews of men on the app raised a separate set of privacy concerns, the recent data breaches of the Tea app highlight the importance of app security and its impact on user privacy.
In order to join the app, users were required to provide an identity document like a driver's license and a selfie to validate their identity and gender. While the privacy policy stated that the selfies would be deleted after authentication, public reports state that the data was not deleted but instead held in publicly available data buckets without authentication requirements, resulting in the compromise of approximately 72,000 images, 13,000 of which were selfies and identification documents, while the other images were posted within the app. Some of the data was shared on message boards, and message board users reportedly used location metadata associated with the photos to map Tea members' locations.
After discovering the initial compromise, researchers later discovered that over 1.1 million private messages exchanged on the app had also been compromised. The Tea app disabled private messaging in the aftermath of the discovery. Multiple class action lawsuits have been filed in the wake of the breach.
This breach is a cautionary tale for developers building platforms that handle sensitive personal data as well as for consumers providing the data. Developers should keep these key privacy and cybersecurity considerations in mind:
- Adhere to privacy policy statements: Despite promising to delete IDs post-verification, the Tea app retained them, which resulted in their compromise. Consumers rely on the statements in privacy policies. These statements help them make more informed decisions about whether and how they engage with your products. Misstatements can open companies up to deceptive trade practice claims.
- Prioritize data security: Do not store data, particularly sensitive data, in public data buckets. User data should be encrypted in transit and at rest, and access controls and audit logs are foundational to ensuring that only authorized individuals have access to the data
- Operationalize data minimization: Data, and the insights derived from data, can be very valuable, but collecting excess data poses additional cyber risk. Only collect what is necessary to accomplish your stated goals. Additionally, set up automated processes to delete unnecessary or outdated user data to minimize the harm that could occur in the event of a breach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
