Cupid escapes fine over stolen list of ’42 million’ plaintext passwords

Australian niche dating site operator Cupid Media has escaped a fine from Australia’s privacy watchdog over a breach that exposed over 40 million users unscrambled passwords.

Cupid Media’s breach hit headlines late last year after its customer database of 42 million records — including names, birthdays, email addresses and plaintext passwords — was found on the same server where records stolen from Adobe, PR Newswire and other organisations were found. 

The company, which is unrelated to dating site OkCupid, operates around 35 dating sites targeting people with interests in particular ethnicities or identity groups.

The Office of Australian Information Commission on Wednesday announced that Cupid Media did breach Australia’s Privacy Act by failing to take reasonable steps to secure personal information it held. The commissioner has had the power to fine businesses up to $1.7 million since March this year, however opted not to in the case.

The breach became publicly known in November 2013, but as Cupid Media’s boss Andrew Bolton told media at the time, Cupid had discovered its database was stolen 11 months earlier and had already notified affected customers.

According to the OAIC’s investigation, Cupid’s IT team discovered that hackers exploited a security flaw in Adobe’s ColdFusion on 18 January. Adobe had released a security hot fix for the bug two days earlier, however Cupid said it did not in this case receive the alert that Adobe usually sends at the time a patch is ready. Cupid said its IT team only discovered the patch was available on 21 January — the day it discovered a rogue file was on its network.  

While Cupid missed the essential patch, the commissioner gave a tick to the company’s general patch management, testing and monitoring steps. 

Cupid’s main shortcoming was its failure to use standard password encryption strategies, such as hashing and salting. On this count, the commissioner found it failed to take reasonable steps.

While Cupid has previously claimed the 42 million records reported in the media was overstated since many accounts were junk or duplicates, the commissioner said Cupid Media should have had a system to destroy or de-identify accounts no longer in use.

And while the breach didn’t include financial data, Cupid’s way of organising the site made it personal information.

“The Commissioner noted that Cupid offers services via sites categorised as 'African dating', 'Asian dating', 'Latin dating', 'gay and lesbian dating', 'special interest' and 'religion'. The personal information that Cupid handles in relation to user accounts for these particular sites will include 'sensitive information' for the purposes of the Privacy Act,” the OAIC noted. 

Follow Liam Tung on Twitter @liamT

Featured Events:

CSO Perspectives Roadshow 2014 | September Melbourne, Canberra, Sydney | register today