Dating Site Investigation Leads RoundupCupid Media Fumbled on Security, Leading to Unauthorized Access
In this week's breach roundup, the Australian Privacy Commissioner found that dating site Cupid Media violated the country's Privacy Act by taking inadequate breach prevention steps. Also, a computer hacker has pleaded guilty to infiltrating computer networks of law enforcement agencies across the U.S. as well as at a local college.
Dating Site Violated Privacy Regulations
The Australian Privacy Commissioner has determined after a breach investigation that the dating site Cupid Media violated the country's Privacy Act because it had inadequate security protections in place.
Hackers gained unauthorized access to Cupid Media's Web servers and stole personal information, including full names, dates of birth, e-mail addresses and passwords, for 254,000 site users, according to the commissioner.
The investigation into the 2013 incident found that Cupid Media did not have password encryption processes in place and did not securely destroy or permanently de-identify personal information that was no longer required.
"Password encryption is a basic security strategy that may prevent unauthorized access to user accounts," privacy commissioner Timothy Pilgrim says. "Cupid insecurely stored passwords in plain text, and I found that to be failure to take reasonable security steps as required under the Privacy Act."
The commissioner noted Cupid Media's cooperation with his office during the investigation, and said the dating service had taken recommended steps to improve security. Since the breach, Cupid Media launched an extensive privacy and data security remediation program that includes developing and implementing a data breach response plan, hashing all user passwords with a unique salt, and implementing daily hacking and vulnerability scans.
The commissioner also recommended that Cupid Media regularly review its data security processes.
Hacker Pleads Guilty to Breaching Networks
Cameron Lacroix of New Bedford, Mass., has pleaded guilty to hacking computer networks of law enforcement agencies across the U.S. as well as at a local college. He also pleaded guilty to obtaining stolen credit, debit and payment card numbers. He will be sentenced Oct. 27.
Lacroix was charged June 2 with two counts of computer intrusion and one count of access device fraud, according to the Federal Bureau of Investigation (see: Hacker Charge Leads Breach Roundup).
Between May 2011 and May 2013, Lacroix obtained and possessed payment card data for more than 14,000 unique account holders, authorities say. For some of these accountholders, Lacroix also obtained other personally identifiable information, including the full names, addresses, dates of birth, Social Security numbers, e-mail addresses, bank account and routing numbers and lists of merchandise the accountholders had ordered.
Lacroix admitted to hacking into a computer server operated by a local Massachusetts police department in September 2012, and then accessing the e-mail account of its police chief. He also admitted to repeatedly hacking into law enforcement computer servers across the country which contained sensitive information including police reports, arrest warrants and sex offender information, between August 2012 and November 2012.
The Massachusetts man also admitted using stolen credentials to access and change information in the servers of Bristol Community College, Fall River, Mass., on multiple occasions between September 2012 and December 2013.
Unsolicited E-mails Stem from Vendor Breach
Following notification that alumni were receiving unsolicited e-mails, the University of California, Washington Center determined that an unauthorized individual had gained access to data stored on its pre-enrollment system hosted at ucdc.gosignmeup.com.
GoSignMeUp is a cloud-based vendor of an online course registration system that the university used to host its course registration system, the university says in its breach notification letter.
Exposed information includes username and passwords for UCDC alumni. Other information potentially compromised includes address, principal e-mail, gender, birth date and courses taken.
The university is working with the vendor to find additional ways to increase the security of user data stored on the system, and is notifying an undisclosed number of alumni following the breach.