Cupid escapes fine over stolen list of ’42 million’ plaintext passwords

Australian niche dating site operator Cupid Media has escaped a fine from Australia’s privacy watchdog over a breach that exposed over 40 million users unscrambled passwords.

Cupid Media’s breach hit headlines late last year after its customer database of 42 million records — including names, birthdays, email addresses and plaintext passwords — was found on the same server where records stolen from Adobe, PR Newswire and other organisations were found. 

The company, which is unrelated to dating site OkCupid, operates around 35 dating sites targeting people with interests in particular ethnicities or identity groups.

The Office of Australian Information Commission on Wednesday announced that Cupid Media did breach Australia’s Privacy Act by failing to take reasonable steps to secure personal information it held. The commissioner has had the power to fine businesses up to $1.7 million since March this year, however opted not to in the case.

The breach became publicly known in November 2013, but as Cupid Media’s boss Andrew Bolton told media at the time, Cupid had discovered its database was stolen 11 months earlier and had already notified affected customers.

According to the OAIC’s investigation, Cupid’s IT team discovered that hackers exploited a security flaw in Adobe’s ColdFusion on 18 January. Adobe had released a security hot fix for the bug two days earlier, however Cupid said it did not in this case receive the alert that Adobe usually sends at the time a patch is ready. Cupid said its IT team only discovered the patch was available on 21 January — the day it discovered a rogue file was on its network.  

While Cupid missed the essential patch, the commissioner gave a tick to the company’s general patch management, testing and monitoring steps. 

Cupid’s main shortcoming was its failure to use standard password encryption strategies, such as hashing and salting. On this count, the commissioner found it failed to take reasonable steps.

While Cupid has previously claimed the 42 million records reported in the media was overstated since many accounts were junk or duplicates, the commissioner said Cupid Media should have had a system to destroy or de-identify accounts no longer in use.

Read more: Dating site eHarmony confirms password breach

And while the breach didn’t include financial data, Cupid’s way of organising the site made it personal information.

“The Commissioner noted that Cupid offers services via sites categorised as 'African dating', 'Asian dating', 'Latin dating', 'gay and lesbian dating', 'special interest' and 'religion'. The personal information that Cupid handles in relation to user accounts for these particular sites will include 'sensitive information' for the purposes of the Privacy Act,” the OAIC noted. 

Follow Liam Tung on Twitter @liamT

Read more: Reborn LulzSec claims hack of dating site for military personnel

Featured Events:

CSO Perspectives Roadshow 2014 | September Melbourne, Canberra, Sydney | register today

Join the CSO newsletter!

Error: Please check your email address.

Tags breachPR Newswireadobedating siteprivacy watchdogThe Office of Australian Information CommissionCupid Mediapassword encryptionOAICAndrew Bolton

More about Adobe SystemsAndrew Corporation (Australia)CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place