Tea(a platform where women can verify male profiles in dating apps by using verification systems and sharing information) suffered a significant data breach in July 2025.
Hackers gained unauthorized access to a legacy storage system, exposing sensitive personal data from approximately 72,000 images, including selfies and photo IDs submitted for verification.
Many lessons can be learned from this data breach; However, this article focuses on the governance factor. Many issues should have been easily prevented by having a clear direction and following through.
Legacy systems
While reading the official statement from Tea, we can see that the incident occurred on a legacy system that had not been in use since 2024. A year might seem plenty of time for small organizations to sunset unused systems, but when larger or fast-scaling corporate structures are involved, the technical agility usually pays the price by moving slowly. It is not uncommon in certain corporations to take more than a year or two to decommission legacy systems. This is because the priority is not the technical agility but business continuity, and any kind of downtime could generate an impact on the business.
In this case, it appears that technical oversight or ownership gaps allowed the system to remain active and vulnerable, even after it should have been decommissioned.. I can speculate that the system either fell through the cracks and no one remembered about it, or it was left dormant for some undisclosed reason. We should ensure that all systems are inventoried, assigned owners, and tagged with decommission timelines. Even if target dates slip, the act of tracking and reviewing them regularly helps prevent these risks from being overlooked entirely. If the target needs to be pushed back a couple of times, it is not ideal, but it is better than having no date and, hence, no clear goal to measure against.
Data retention
Another key lesson involves data retention discipline. Whenever we work with any data, customer, or even our own, we should have a clear data lifecycle. A data lifecycle policy should contain: clear rules for where data is stored, how long it’s retained, and exactly when it should be deleted.
In the case of Tea, they had a data retention policy that stated that those verification selfies and ID pictures were supposed to be deleted after verification. A basic internal audit or automated alert for expired data could have revealed that deletion processes weren’t functioning correctly, thus preventing unnecessary risk exposure.
Having a clear disclosure mechanism
Tea only disclosed the breach after leaked data began circulating online, and it was first reported publicly by an external source—404 Media—rather than by the company itself. This suggests the absence of a defined incident response and disclosure protocol, which left the company reactive instead of proactive. Otherwise, it would have seemed logical that the attacker might have requested a ransom from the company instead of going straight to selling the customer information.
It might not seem like a big improvement, but it allows the company some time to react and prepare its official response to the customers. Having a defined breach response playbook, including legal counsel, customer notification workflows, and media coordination, can give the company time to act swiftly, contain reputational damage, and maintain public trust.
Conclusions
This breach shows how outdated systems, unclear data policies, and weak incident response can create serious risks.
Apps that handle sensitive data—like ID photos or location info—must manage their systems properly, delete data on time, and be ready to respond quickly. Good governance isn’t just about compliance; it’s essential for earning user trust.
Source:
https://www.nytimes.com/2025/07/26/us/tea-safety-dating-app-hack.html
