How a data request turned into a data breach

Coffee Meets Bagel sent us a stranger’s data.

The process was smooth enough, with the right safeguards apparently in place.

I emailed the dating app Coffee Meets Bagel to request personal data. Within 24 hours the company asked for a selfie of me holding an ID card and a piece of paper with the words "Coffee Meets Bagel" scrawled on it. Exactly one month later I received an email from Stephen Brandon, the company's data protection officer.

The response form clearly spelled out where it got my data and laid out my rights to correct or erase my personal information. The seven attached spreadsheets were clearly labelled -- "criteria," "messages," "profile" -- and contained a comprehensive amount of data, even if all the values weren't fully explained.

The only problem: This was not my data.

Data retrieval
How big tech manages your personal information

Instead, it belonged to Jon, a man from one of New York's outer boroughs who declined to be identified by his full name. I inadvertently learned a lot about him.

I know Jon's birthday, personal email address, alma mater, ethnicity, height and occupation. I know that he's Catholic and likes vodka.

I can infer his home address from the GPS coordinates of where the app was opened.

I also know exactly who Jon wants to date: men aged 23-50, either Latino or Caucasian, in a 10-mile radius.

It was a data breach, caused by an attempt at data transparency.

I could see how many people he'd matched with and whether they'd chatted, as well as his attractiveness rating on a scale of one to six (one being the most attractive, Brandon told me, with the "vast majority of users being between two to three"). This guy was apparently a two.

In short, this was a lens into some of a stranger's most personal and identifiable information. It was a data breach, caused, ironically, by an attempt at data transparency.

It took less than five minutes for me to pinpoint his online social media profiles and reach out.

"I think it's a major invasion of privacy, but I can see how these mistakes happen," said Jon. "Coffee Meets Bagel should be held accountable, but ultimately it's up to me to be more selective with where I share my data voluntarily." Jon said he had not requested any of his own data and hadn't used the app in several years.

Arum Kang, Coffee Meets Bagel's co-founder and CEO, said that the mix-up came from basic human error. An employee mistyped my internal user ID number into the automated tool for pulling data and failed to double-check that the system spat out the right person's information.

"It's definitely a really good learning opportunity for us," Kang said. "Honestly if you hadn't brought it up we wouldn't have caught it."

Kang said the company has since reviewed every subject access request it's received to ensure this hasn't happened in other instances. She also said that the company will from now on ensure that a second person manually checks every personal file before it's sent out.

Beyond voyeurism, the kind of information Coffee Meets Bagel sent to me could easily be used for identity theft.

Perusing our own personal data at times feels uneventful -- of course I know my own address -- but peeking at someone else's file can underline just how much dating apps know about us. Think of the reams of personal info listed not only in everyone's profiles but also in messages to potential crushes: hopes, dreams, pets, favorite bands, attempts at humor. Now multiply that by the millions of active users Kang says the app has.

Beyond voyeurism, in the wrong hands the kind of information Coffee Meets Bagel sent to me could easily be used for identity theft or to infer passwords and security questions to other accounts. Combining spoof email addresses and basic personal details could facilitate requesting even more data from other online services, depending on their ID-verification methods, which we found varied widely across organizations.

For users, the lesson is to secure your data once you get it from a company. Hackers might not need to scale Facebook's security apparatus if they can find the same data on an unencrypted hard disk.

But the paradox is that data-access rights are supposed to protect us from corporate powers. By sending data outside their walled gardens without rigorous checks, companies risk exposing us to other malicious actors. The stakes are clear: Businesses need to be just as diligent about how data leaves their organization as how it comes in.

Data retrieval series credits
Features editor: Aaron Souppouris
Lead reporter: Chris Ip
Additional reporting: Matt Brian, Dan Cooper, Steve Dent, Jamie Rigg, Mat Smith, Nick Summers
Copy editor: Megan Giller
Illustration: Koren Shadmi (data drones)