In the past week, it was revealed that Cupid Media Pty Ltd had become yet another victim to a cyber attack, with hackers gaining access to the personal information of approximately 254,000 Australian users.
Cupid Media operates over 35 dating websites, relying heavily on personal information such as name, email address, gender, ethnicity and religion to create personal profiles for their users – just the kind of information cyber criminals are after.
The view from commentators is that Cupid Media was doing everything correctly for the most part to protect the personal information of their users. Their IT security program was deemed reasonable by many of its peers with measures in place such as firewalls, anti-virus software, vulnerability scanning and patch management however, we have learnt time and time again that no matter how stringent your cyber protection procedures may be, hackers will find a way in.
This data breach lead to an investigation carried out by the Privacy Commissioner to determine if Cupid Media has breached the National Privacy Principals as a result of the attack.
What Happened?
In order to gain a general idea of the how this data breach unfolded, let’s take a look at the timeline of events:
- Cupid Media identified a rogue file on their webservers on 21 January, 2013
- An internal investigation was carried out by Cupid Media which determined that on 18 January 2013, attacks exploited a vulnerability within the application server platform (ColdFusion). This allowed the hackers to gain access to Cupid Media’s webservers.
- With access to the webservers, the hackers then uploaded a shell ‘ColdFusion Markup’ file that allowed them to run SQL queries against the Cupid Media databases and obtain unauthorised access to their data.
- On 16 January 2013, a security patch for the ColdFusion vulnerability was released however, Cupid Media did not receive notification from the developer that the patch had been made available.
- Cupid Media claimed that ordinarily, the developer would communicate with them via alerts when updates and patches were available, but failed to do so in this instance. On 21 January 2013, Cupid Media was alerted to the new patch when their IT team identified through its ‘business as usual’ internal patch management processes that it was available.
- Cupid Media applied the patch to fix the vulnerability on the 21 January 2013, preventing attackers from obtaining any further data and information.
Cupid Media has advised that the personal information stolen included full names, dates of birth, email addresses and passwords.
As you can imagine, this has caused significant damage to the reputation of the brand and the trust placed in Cupid Media by their customers. In this industry, the relationship you have with your customers is paramount as without them trusting that their private information is stored safely, there will be no business.
Were The National Privacy Principles Breached?
Following the discovery that their network had been compromised, Cupid Media were subject to an investigation by the Privacy Commissioner to determine if they had breached any of the National Privacy Principals.
At the time of the breach, Cupid Media was covered by the ten National Privacy Principals which were in effect from 21 December 2001 to 11 March 2014. As of 12 March 2014, the Australian Privacy Principals have been introduced which have vested the commissioner with greater powers to punish companies who do not adequately protect their customers’ data.
The Privacy Commissioner considered whether Cupid Media had complied with the following National Privacy Principals, which require organisations to:
- to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.
- to take reasonable steps to destroy or permanently de-identify personal information that they no longer need for any purpose for which the information was collected
- to use or disclose personal information only for the purposes identified at the time of collection, unless exception applies
Resulting from their investigation, the commissioner found that Cupid Media had in fact taken a number of reasonable steps to protect the personal information of their users however, there were a couple of areas in which there was a failure to comply.
Cupid Media were found to have failed to correctly protect user passwords. User passwords were stored in plain text which is considered insecure. Organisations much apply encryption techniques such as hashing or salting to the passwords to ensure they are adequately protected.
When surveying just how many users were targeted, Cupid Media highlighted that among the 42 million users, there were a number of junk or duplicate accounts included within that figure. Cupid Media had no formal process in place to identify such accounts and subsequently destroy or de-identify them, therefore finding them in breach of another National Privacy Principle obligation.
What Can We Learn From This?
During their investigation, the Privacy Commissioner found that Cupid Media acted appropriately in response to the data breach. In particular they:
- obtained and applied the ColdFusion security patch to fix the vulnerability, and
- appropriately notified the affected individuals while ensuring they reset their passwords (also encouraging them to reset their passwords for services in which they used the same password)
As a result of these steps taken by Cupid Media and their willingness to cooperate with the investigation, the commissioner did not issue a financial penalty to the company.
It is important to note that if this same incident were to occur under the new Australian Privacy Principals, Cupid Media may not have walked away fine-free. The new legislation is much more onerous and can result in huge penalties for failing to comply.
This is a gentle reminder to businesses to ensure they have adequate levels of security in place to protect the personal information of their customers. Data security processes should be regularly reviewed in order to aim for the best privacy practices to avoid breaching the Australian Privacy Principals. Cupid Media have since undertaken an extensive privacy and data security remediation program to ensure they are complaint under the new Australian Privacy Principals, a step all business should be taking to ensure they are doing everything in their power to protect the sensitive information of their customers.
