To:
First Contact Team
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
Subject: Data Protection Act official complaint against Cupid plc (www.speeddater.co.uk).
Dear Madam, Sir,
We hereby raise an official complaint against Cupid plc (www.speeddater.co.uk) under the Data Protection Act.
This website enables to participate into single parties or speed dating events.
We have been a member of the website http://www.speeddater.co.uk/ from September until October. Our screen name was MemberXXXX. The registration email given was: [email protected].
Our perception is that the website and its management have repeatedly breached the Data Protection Act and we wish to formally report this to you along with the relevant evidence. We are listing below the alleged breaches we would like to report.
(1) The email reproduced in evidence1.doc shows that we were a member of the dating website in September under the screen name MemberXXXX and email [email protected].
We have requested that our account is removed and personal information deleted from the customer database at our discretion in October. SpeedDaterStaffYYY, event manager, has confirmed in an email dated 19 October (refer to the file evidence2.doc) that «Further to our telephone conversation, [she has] closed [my] account on SpeedDater. »
It appears that despite our request our personal data such as screen name and email address have not been physically removed from the website. To prove the above we have attempted to create a new account using either our previous screen name (MemberXXXX) or email ([email protected]). The website prevents us from using our email mentioning that the “email is registered”. The website also suggests to “recover our profile”. We are providing screenshots taken from the website as of 14 December in evidence3.doc proving this. This shows that our personal data are still being held by the website against our will.
(2) Furthermore the website has waited until 12 December to remove another account (screen name memberXXXX*1) on www.cupid.com that seems to mirror our account on speeddater.co.uk. It indeed registers the same email address ([email protected]). Please refer to evidence4.doc for proof.
As far as we can remember we have never created an account on this website www.cupid.com and it seems that the information used on speeddater.co.uk was reused by the company to open an account on cupid.com. We believe our authorisation was not asked nor granted.
(3) Additionally it would seem that data such as passwords are not properly secured. Indeed customer passwords are not encrypted. This is demonstrated by the fact that the non encrypted password is systematically emailed after an event is booked on the website. This means are the website is not using a one way encryption algorithm to secure passwords. This could be potentially very dangerous as many people use the same passwords on several websites and anyone having access to those non encrypted passwords and the email address could use them to attempt accessing confidential information on other websites.
For an example we have reproduced in evidence5.doc an email that we have received from the website showing our password, proving that passwords are weakly stored.
We consider that this poses a major security threat for the customers and we are worried that the passwords we have been saving in speeddater’s database might be used to access private information hosted on different websites (e.g. bank accounts).
(4) We have been able to find on the internet complaints that would tend to confirm that data are shared across the websites Cupid plc owns and that passwords are being copied across.
For instance “Crooller” has posted in January on http://ukconsumercomplaints.com:
http://ukconsumercomplaints.com/complaints/speeddatercouk-c406877.html
«I am annoyed by this website emailing me with "someone has viewed my profile" I don't know who placed me on this site it certainly wasn't me, I complained to them and they have chosen to ignore my comments and do nothing about securing their website, are they placing the adverts themselves in the hope that so many will join? They had got my age wrong and put that i lived somewhere near to where I used to live, how do they get this information? they also knew of an old password I used on other sites!!!»
Another member has posted in December on scamfound.com:
http://www.scamfound.com/f13/speeddater-co-uk-i-am-annoyed-website-emailing-me-someone-has-viewed-161025.html
«Speeddater.co.uk - I am annoyed by this website emailing me with "someone has viewed my profile»
Screenshots are given in evidence6.doc.
(5) My credit card details are still being retained as of 12 December despite my account having been closed. SpeedDaterStaffYYY has indeed written in an email sent to me on 12 December that “[email protected] use the same card for purchases». Evidence is given in evidence7.doc
(6) The Data Protection Act gives individuals the right of access to their personal information. I have required Cupid plc to tell me about the personal information they hold about me. I have been denied this right in writing.
In an email dated 12 December SpeedDaterStaffYYY has indeed written in response to my request to be made aware of her allegations of my account having been flagged:
«We are not obligated to pass on details [we hold on you] simply because you have requested them. I’m sure you can understand a breach of privacy in doing so. »
We believe that this information is held under our account and name and should be made available to the account holder if he requests it in writing. We have not requested for any name to be mentioned but we have required alleged facts to be explicitly stated.
We have grounds to believe that this information has been used unfairly and that it may be irrelevant or excessive. We are obviously not in a position to assess this without being made aware of the alleged facts.
(7) We would like to report that the website staff invades the privacy of its customers.
The staff is deliberately reading messages sent from members to members. Although we do appreciate that this could be justified in case the content of the messages have been reported as breaching the law, it seems to us that this activity has been used to merely ensure that the commercial interests of the website are being protected. This appears excessive to us.
SpeedDaterStaffYYY has indeed written on 21 October:
“The content of your mail was not of interest to SpeedDater, we simply wished the ascertain whether members were contacted from the event in question before you activated the guarantee. »
Please refer to email reproduced in evidence8.doc for details.
Based on the above elements, we believe that speeddater website is failing
- to secure members data adequately using password encryption
- to physically remove private information such as email addresses when a user requests it
- to disclose information they retain about their customers
- to ensure that the information given by their customers is not used or disclosed to other websites own by the same group
- to respect the customers privacy
We would like to express our greatest concerns regarding how personal data ate being managed by this company.
Yours faithfully
0 comments