Last week, the Privacy Commissioner found that online dating company Cupid Media had breached the Privacy Act 1988 (Cth) by failing to take reasonable steps to keep personal data held on its dating websites secure.
In 2013, the online dating profiles of around 254,000 Australians were compromised when hackers gained unauthorised access to Cupid’s webservers, through a temporary network vulnerability. What the hackers found was a goldmine of personal information, including user’s full names, dates of birth, email addresses and passwords.
Importantly, at the time of the incident, Cupid had a range of IT security measures in place, including firewalls, patch management, vulnerability scanning and anti-virus software. However, Cupid had failed to implement password encryption processes, meaning that user’s passwords were stored insecurely in plain text. In addition, Cupid failed to destroy or permanently de-identify personal data that it no longer needed, such as information about users who had long ago de-activated their accounts, which contributed to the scale of the breach. The Commissioner concluded that because of these failures, Cupid had breached its obligations under the Privacy Act to take reasonable steps to protect user information.
There is a lot to take away from the Commissioner’s findings. Perhaps the biggest lesson for businesses is that in today’s threat environment, having a data security strategy that focuses exclusively on keeping hackers out is simply not enough. No network is 100% secure, and data security breaches are no longer a question of ‘if,’ but ‘when.’ Of course, keeping hackers out is important, but as the Commissioner’s findings illustrate, this kind of ‘perimeter security’ must form part of a comprehensive data security strategy.
Given that even the most sophisticated networks are capable of being hacked, businesses should focus on implementing security measures that will protect personal information (or at least lessen the impact) in the event a hack succeeds. Cupid has learned the hard way that this means identifying and disposing of personal data that it no longer requires, and encrypting personal data that it needs to hold.
It is also critical that businesses have processes in place that will enable them to identity a hack and respond to it quickly. If there is a saving grace for Cupid, it’s that its vulnerability testing processes allowed it to detect the data breach, patch the network vulnerability, and contain the breach as best it could.
The Commissioner has urged businesses to remain vigilant about information security, and with hefty fines at stake, it is important to take notice.