Close this search box.
(07) 3231 2444
Close this search box.
31 July 2014

Tough love – Cupid Media fails data security standards

The Privacy Commissioner has recently found Cupid Media Pty Ltd (Cupid) in breach of the National Privacy Principals for failing to take reasonable steps to adhere to data security standards on its internet dating sites

The Privacy Commissioner has recently found Cupid Media Pty Ltd (Cupid) in breach of the National Privacy Principles for failing to take reasonable steps to secure personal information on its internet dating sites, and for failing to adequately dispose of personal information that was no longer in use.

Cupid operates more than 35 niche dating websites such as ChristianCupid, MilitaryCupid, SingleParentLove and other sites based on ethnicity, religion and location.

Hackers gained access to the sites in January 2013, stealing the personal information (such as names, dates of births, email addresses and passwords) of approximately 254,000 Australian users.

Cupid had vulnerability testing processes in place and a password reset program, however they did not have password encryption processes in place, even though such strategies were available at the time of the data breach. Due to the fact that Cupid handled sensitive personal information, the Commissioner found that more stringent steps were required to keep this information safe.

Cupid also did not have a process in place for destroying or de-identifying information.

The case reiterates that, in the Commissioner’s view:

  • businesses must remain vigilant about information security, emphasising the need for organisations to conduct ongoing testing and maintenance of security systems and breach response procedures;
  • password encryption is considered to be a basic security strategy, and failure to have such a process in place jeopardises your privacy compliance; and
  • you must take steps to destroy or de-identify personal information that is no longer required.

From 12 March 2014 (under the new Australian Privacy Principles), penalties for privacy non-compliance can extend to $1.7 million.

If you have any questions or concerns in relation to data security standards or your privacy compliance, please contact us.

Like this article? Share it via:

This publication is for information only and is not legal advice. You should obtain advice that is specific to your circumstances and not rely on this publication as legal advice. If there are any issues you would like us to advise you on arising from this publication, please let us know.

Stay up to date with CGW

Subscribe to our interest lists to receive legal alerts, articles, event invitations and offers.

Key contacts

Charles Sweeney
Managing Partner
Belinda Winter

Areas of expertise

Read next