The dating website Guardian Soulmates suffered a series hack today which led to user details being exposed. Users of the dating website then received explicit emails from hackers because their personal details were made available online for an extended period of time.
'Human error' at a third-party technology provider who run the service for Guardian News & Media were blamed for the problem, which has now been fixed.
The BBC were contacted by a user whose details had been exposed leading them to be spammed. "I basically had been receiving spam directly referencing information that could only have come from the Soulmates database,"
"It's all information that I was happy to put online at one point anyway, but when it's used outside of context like that it does feel a lot more creepy." The user told the BBC that they alerted Guardian Soulmates in November last year and received an email confirming what had happened in late April.
The user who hadn't used the site for years and were no longer paying for services was surprised at being sent unsolicited explicit emails. "I'm still pretty miffed that I'll probably forever receive spam from this," they said.
The dating site does not offer its services for free, nor is it inexpensive to use. Those wishing to create and maintain a profile on Guardian Soulmates will be expected to pay unto £32/mo and a spokeswoman for the site told the BBC that while only email addresses and user IDs had been exposed directly, such information could be used "to find members' publicly available online profiles".
Further details like photos, relationship preferences and physical description could then be accessed using the email addresses.
Responding to the breach details being made public, the spokesperson added: "We can confirm we have received 27 enquiries from our members which show evidence of their email addresses used for their Soulmates account having been exposed,
"Our ongoing investigations point to a human error by one of our third-party technology providers, which led to an exposure of an extract of data.
There is currently no evidence that the data exposure had been caused by an outside party.
Guardian News & Media have promised to "continue to review" its processes and third-party suppliers and also apologised to affected users.
The Information Commissioner's Office (ICO) has said it is "aware of a potential incident involving Guardian Soulmates and will be looking into the details".
"The law requires all organisations handling personal data to take appropriate measures to keep that information secure," a spokeswoman said.
"As the regulator, it's our job to act on behalf of the UK public to see whether that's happened."
David Navin, Corporate Security Specialist, Smoothwall: “The news that users contact information has been exposed and resulted in receiving explicit emails and content causing distress to its customers is yet another example of why businesses must ensure that they are keeping their data secure.
“Due to the nature of the breach, it reiterates how businesses should always be mindful of security regarding third-party partners. While many businesses often use external companies for support, threat actors see third parties as a ‘way in’ to the main organisation, which may well be the case with Guardian Soulmates’ third-party supplier. While using third-party suppliers is not uncommon – and an absolute necessity for many – it is harder for companies to retain an omniscient view across the whole business.
“The importance of security needs to be at the top of every boardroom’s agenda and across the C-suite as well as all of their staff, so they do not allow themselves to be susceptible to a cyber-criminal’s advances. It is common knowledge now that the majority of security breaches occur due to human error which appears to be the cause of this latest breach. Ensuring a strong security culture is instilled throughout the workforce is vital to ensure staff are constantly vigilant and aware of the threats. They need to ensure that they are complying with regulation and build a layered security defence which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance. Companies no matter how big or small all need to have measures and contingency plans in place so that if a breach does occur, they are able to recover and instil customer confidence as soon as possible.”