Your old online footprint can still affect your privacy: SSO Alert Priority Low
27 June 2014
In November 2013, Stay Smart Online advised users of online dating websites owned by Cupid Media that a breach of its customer data had occurred.
The Office of the Australian Information Commissioner (OAIC) has recently completed an investigation into the breach, focusing in particular, on whether Cupid Media took reasonable steps to protect its customers’ information.
The report details at length the steps and actions Cupid Media undertook to prevent and address the breach and its impact on users, and where it failed to secure the personal information it held.
The report found that the information of 254,000 Australians was affected, dating as far back as January 2013.
Also included in the report was a finding that Cupid Media failed to take reasonable steps to destroy or permanently de-identify personal information of users that was no longer needed.
This is an important reminder to consumers to be aware of the lifespan of your data when signing up for online services. The information you provide when signing up will be kept by the organisation—in many cases indefinitely.
It is also a reminder to businesses that, from March 2014, new privacy requirements in Australia need to be met.
Under the new Australian Privacy Principles, once you have submitted your personal information to an organisation, it has a responsibility for securing your information and ensuring your privacy. This includes ensuring that information about you that is no longer needed is destroyed or de-identified. More information about this can be found in Chapter 11 of the Australian Privacy Principles.
Many organisations struggle to meet aspects of privacy such as the destruction and de-identification of old information. If you have ever signed up to a website or service in the past, but have long since stopped using it, there’s a possibility that organisation still has your information.
It means that even though you might not have used the website or service for many years, and you are no longer a customer, your personal information may potentially still be held inappropriately, and (as was the case for Cupid Media) a later security breach may still include your information.
The OAIC points out in its report that Cupid Media has addressed the OAIC’s recommendations, including developing a policy for determining when personal information is no longer needed.
Fundamentally, as a consumer, it is important to always be aware that the quick act of signing up to a website or service can also mean leaving your information with it for a very long time.
While privacy regulations exist in Australia, how your information might actually be stored and handled by websites and services is likely to vary significantly.
If the website is internationally-based, any rules that may apply will also likely vary.
In Australia, the introduction of new Australian Privacy Principles affects many organisations—some will invariably be playing catch up with the requirements stipulated.
These principles provide Australian consumers with good protections, including opportunities to contact the organisation and request access to, and clarification of, your information.
Some websites will also offer mechanisms for you to log in or contact them and close your account (of course that does not guarantee your records are deleted or de-identified).
You should also take an interest in the privacy statement for each website or service you join. Good operators will make this available for you to read online.
And of course, whenever you sign up to a new service, use a strong and unique password. Years from now you might be glad you did.
The events detailed in the investigation of Cupid Media occurred prior to March 2014 and the changes to the Privacy Act.
Stay Smart Online has also previously discussed why password strength is important and how criminals can try to guess your password.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.