Feeds

Passwords in plaintext? NOT OK, Cupid

Australian dating security service not a good match, says privacy commissioner

Internet Security Threat Report 2014

“Encrypt passwords”: that's the message coming from Australia's privacy commissioner, at the conclusion of his investigation of the huge data breach of the Cupid Media dating operation in 2013.

Among the 42 million customers whose data was exposed in the breach of the Queensland-headquartered company were 245,000 Australians, privacy commissioner Timothy Pilgrim says.

The most serious breach was that “the compromised passwords were not salted or hashed, or otherwise encrypted, before the data breach. Instead they were stored insecurely, in plain text”, the commissioner's report states. “The Commissioner therefore found Cupid's storage of passwords in plain text to be a failure to take reasonable security steps”.

Finding that Cupid Media – which operated a network of 35 dating sites so as to cover niches of ethnicity, religion, sexual preference and location – had breached Australia's privacy regulations, the commissioner's report states: “Cupid had breached the Privacy Act by failing to take reasonable steps to secure personal information it held.”

During the investigation, the company told the commissioner it didn't hold credit card data, and asserted that since it doesn't check registrations to demonstrate that people are using real names, the data was less sensitive than (for example) financial information.

However, the investigation found that the preferences collected by the niche sites, along with e-mail addresses and user passwords that were compromised in the data breach, added up to breaches serious enough to bring the company under the remit of the Privacy Act.

Cupid also quibbled over the original reports that the breached database held 42 million user accounts, asserting that “this figure is not accurate because it includes 'junk' accounts and duplicate accounts”.

That, however, didn't satisfy the commissioner, who found that the company was retaining personal data that it didn't require: “ Cupid failed to take reasonable steps to destroy or permanently de-identify the personal information it held in relation to user accounts that were no longer in use or needed”, the commissioner writes.

The company did, however, co-operate with the investigation, notified its users, reset their passwords, and applied patches to fix the vulnerability. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.