The Tea App Data Breaches: 5 Urgent Lessons for Every Business Leader

Tea App Data Breach Lock Icon Representing Cybersecurity Failure

News of data breaches are nothing new – but this past week’s double data breach on the now infamous Tea app brought a storm of mind-spinning ironies and sharp lessons for business owners everywhere.

In 2023, tech capitalist Sean Cook launched the Tea app – an anonymous “dating services” women-only safety app. As stated on the Tea website, “Tea was born from a deeply personal mission to give women the tools they need to date safely in a world that often overlooks their protection.” The app is designed to be a platform for women to share their dating experiences with men. They can search for men by name or phone number, post reviews and/or warnings, join group chats, use background check tools, share stories and seek emotional support.

In 2024, Cook collaborated with social media influencer, Danielle Szentza, and eventually hired her as Chief Marketing Officer, later to become Head of Socials. Her support combined with fear-based story-telling videos that went viral gained tremendous momentum eventually reaching the #1 spot in the Apple App Store and surpassing over 4 million users, as announced on July 24th by Tea on their TikTok account.

Despite reaching such a milestone, their success would be extremely short-lived. Just one day after their announcement, the Tea app would suffer a massive data breach. The first of two data breaches, this one would expose 72,000 images including 13,000 selfies and government issued IDs submitted by women for account verification purposes and 59,000 other user-uploaded content such as posts, comments, and messages as reported by AP News. The second breach would take place just a couple days later exposing 1.1 million private messages. These messages contained personal sensitive discussions of infidelity, abortions and relationship abuse. They also included phone numbers, meeting locations and personal identifiers such as names and social media handles.

The first of these mind-spinning ironies? The app designed to protect women nationwide became the very thing that endangered them. The first outlet to report the data breach, 404 Media reported on their podcast that online forums had been created in order to collect the girls’ information and harass them. One of them even posting a headline that read, “Drivers Licenses and Face Pics Get in Here Before They Shut It Down!” People were downloading the images in bulk.

The second of mind-spinning ironies is that Cook touts himself on coming from a tech background. According to the Tea website, Cook has “expertise in product development after working for some of the Top Bay area tech companies including Salesforce and Shutterfly.”  To understand the depth of irony and how alarming this is one must understand the position of cybersecurity within a company. Launching an app, especially a safety-focused app, without investing in cybersecurity is like opening a restaurant without refrigeration. It’s foundational, expected, and dangerous to overlook. Cybersecurity is a basic health standard that the Tea app disregarded leaving an open door to threaten the safety of over 4 million users in their database.

As of the beginning of August, two class-action law suits have been filed with more expected to follow. Although these suits are just in the beginning stages, it is predicted this will cost Tea anywhere into the tens to hundreds of millions.

The Tea app had a rise to the top that many companies dream of. Whether your company is just starting out, on their way to its next milestone or even at the top of its game, the double data breach of the Tea app has provided business owners everywhere with golden takeaways to ensure a safe and secure environment for them as well as their customers.

See below for our top 5 urgent lessons for business leaders:

1. Cybersecurity Culture

Cybersecurity culture refers to “the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest in people’s behavior with information technologies.” – European Union Agency for Cybersecurity (ENISA, 2021)

In this case, Tea failed to uphold its commitments directly from their Privacy Policy on their website that promises “SSL encryption” and “reasonable security measures.” Tea stored user verification selfies and private messages in back-end systems with no encryption or access controls directly contradicting their own commitments and exposing users to major data risks.

Business Leader Key Takeaway:

Ensure your company’s actions align with its privacy policy – it’s a move that strengthens both your business and your credibility as a leader.

2. Public Relations: Crisis Communication

 In public relations, there’s a timeless rule “Tell the truth. Tell it fast. Tell it all.”  True ownership goes along way and that resonates with the public. Unfortunately, Tea did the opposite. They waited until after the media broke the story to respond. When they finally issued a statement, it downplayed the scope of the breach and, most critically, lacked any real empathy. Additionally, the founder has not made any public statements. This marks the third mind-spinning irony in this case, a brand built on “deep” empathy for the safety of women at the end of day showed not a glimpse of it. If Tea hopes to move forward in a respectful way that restores even a fraction of user trust, their path must include public relations essentials: radical transparency, empathy-driven messaging, action-first reforms, and community-centered trust rebuilding.

Business Leader Key Takeaway:

Any brand in a public relations crisis has to be aware of timing. Be proactive – not reactive. Be ongoing – not one and done. Be human – not cold or corporate. Be visible – not hidden behind a logo. Use technology to your advantage, don’t hide behind it.   

3. Encryption is not optional, it’s necessary

Encryption is the process of encoding information in such a way that only authorized parties can access it and those who are not authorized cannot. It helps protect sensitive data by converting it into unreadable format, which can only be decrypted using a specific cryptographic key. – National Institute of Standards and Technology (NIST), Computer Security Resource Center  

Tea’s privacy policy promised secure handling of user data, including encryption of sensitive information. But the reality didn’t match the promise.

·         Verification selfies and government ID images were stored in an unencrypted Firebase bucket with public access permissions.

·         Over 1.1 million private messages were also exposed in a database that could be accessed using any authenticated user’s API key with no encryption at rest.

·         There was no documented encryption of user-uploaded content, personal conversations, or even critical identifying information.

Business Leader Key Takeaway:

Encryption isn’t optional – it’s necessary.  In today’s advanced digital world, encryption is something you cannot slack on. Has your business properly protected your customer’s data?

4. IT Professional Services

Tea used Firebase directly (Google’s backend-as-a-service platform) to store all of their user’s individual data. This suggests that Tea’s team likely set up and managed their own infrastructure rather than purchasing professional IT services. To provide perspective here, imagine you own a storage unit company that stores multiple sensitive personal items including passports, family photos, private letters and valuables. Now, instead of hiring a professional security team to install cameras, locks and alarms – you rent the unit yourself and just assume “no one will notice” or think, “I’ll lock it later.” Your cloud product is not your Chief Security Officer (CISO).  Always conduct regular audits, enforce least-privilege access, and require clear security accountability in vendor contracts – best to leave security for the professionals. 

Business Leader Key Takeaway:

It is in any company and business leader’s best interest to hire professional IT services. The right provider understands not only the infrastructure for your business but the regulations in your industry.

5. Regulatory Compliance

Speaking of legalities, the Tea app failed to meet many of them including multiple regulatory and different state laws. Failing to meet privacy laws will not only cost your business financially but also erode trust with customers. Business leaders need to understand how compliance ties directly to brand reputation, legal liability, and long-term customer retention.

Business Leader Key Takeaway:

There are multiple overlapping and growing privacy laws. As a leader you want to ensure you and your business are covered.  

Conclusion

In summary, the Tea app data breaches are not just a wake-up call for one company but all business leaders. A strong business foundation starts with building a culture of cybersecurity, respecting your customers through clear and timely communication (including using technology to do so), encrypting all sensitive data, not blindly trusting cloud or vendor partners, and staying compliant with evolving privacy laws in your industry and state.

Have you performed a recent cybersecurity assessment on your business?

Click below to schedule a complimentary cybersecurity assessment with CompuOne today:

Contact Us

Similar Posts