Tea Is Back. Three Lawsuits, a Data Breach and an Apple Ban Later.
Β·6 min read
Tea exposed government IDs, selfie videos, private messages, and home addresses for over one million users in July data breaches
Three separate class action lawsuits remain active against the company
Apple's App Store ban persists seven months after the breaches, cutting Tea off from approximately 50% of the UK smartphone market
The platform still requires government ID and biometric selfie verification despite its catastrophic security failures
Tea's website relaunch marks one of the most brazen comebacks in dating tech this year β and possibly the most ill-advised. The app that promised to make women safer in dating by collecting government IDs, selfies, and detailed relationship histories has returned after data breaches exposed precisely that information for over one million users. The company now asks users to trust it again with the same sensitive data it failed catastrophically to protect just months ago.
The timing couldn't be worse. Three separate class action lawsuits remain active. Apple's App Store ban persists, cutting Tea off from roughly half the UK smartphone market. According to reporting by 404 Media, the July breaches didn't just leak usernames β they exposed selfie videos, government ID photographs, private messages, and home addresses. Some of that material ended up circulating on public forums, turning a safety tool into a doxing database.
Person holding smartphone showing dating app interface with security concerns
Tea's core business model is fundamentally compromised. The platform demands unprecedented personal data to verify users and prevent fake reviews, making it an irresistible target for bad actors.
A honeypot by design
The paradox at the heart of Tea's offering has always been apparent to anyone paying attention. Creating a women-only review platform for flagging dangerous men requires robust identity verification β otherwise, the system drowns in fake reviews, retaliation, and men reviewing themselves under false accounts. That verification infrastructure, however, creates exactly the kind of high-value data trove that motivated attackers dream about.
Enjoying this article?
Join DII Weekly β the dating industry briefing, delivered free.
Tea's solution compounds the problem. According to statements from the company's head of trust and safety, Jessica Dees, new users must now submit either a selfie video or photograph alongside government-issued identification. This verification runs through a third-party provider, which the company frames as an enhanced security measure. But outsourcing doesn't eliminate risk β it distributes it.
Users must now trust both Tea's infrastructure and its vendor's security posture, despite Tea having already demonstrated it cannot prevent unauthorised access to sensitive material. The broader dating industry has largely moved away from requiring government ID for basic access. Match Group properties offer optional ID verification through third parties like Garbo and Persona, but don't mandate it for platform use.
Bumble introduced optional photo verification using selfies and pose-matching, avoiding document collection entirely. Grindr has resisted implementing mandatory verification, citing privacy concerns for LGBTQ+ users in hostile jurisdictions. Tea went the opposite direction. Its entire value proposition depends on collecting precisely the data most operators try to minimise holding.
Digital security concept showing data protection and privacy concerns
iOS exile and AI expansion
The company's exclusion from Apple's App Store isn't merely symbolic. iOS accounts for approximately 50% of the UK smartphone market, according to Statcounter data, and skews heavily towards higher-income demographics β precisely Tea's target user base. Operating solely via web and Android limits growth, reduces discoverability, and eliminates Apple's App Store review process, which, whatever its flaws, provides a baseline security assessment.
Apple's decision to maintain the ban suggests the platform identified issues severe enough to warrant ongoing exclusion despite potential pressure to reinstate a high-profile app. The company has not publicly detailed its reasoning, but removal following security incidents typically requires demonstrable remediation before reinstatement. Tea's continued absence from iOS seven months post-breach indicates either incomplete fixes or Apple's assessment that the fundamental architecture remains problematic.
Rather than focusing entirely on rebuilding security credibility, Tea has introduced new AI features to its Android app. The additions include an AI dating coach and an upcoming tool called Red Flag Radar AI, which will analyse chat conversations. According to Dees, these features are 'designed to supplement community insight and can help inform a community member's point of view on something they might not be sure about'.
For a company that hasn't yet demonstrated it can secure basic user information, adding systems that analyse private conversations seems premature at best, reckless at worst.
The introduction of AI-powered chat analysis raises immediate questions about data processing, retention, and potential exposure. Training and running AI models typically requires substantial data throughput and storage. For a company that hasn't yet demonstrated it can secure basic user information, adding systems that analyse private conversations seems premature at best, reckless at worst.
Regulatory compliance and legal documentation concept
The compliance calculation
For trust and safety teams across the dating industry, Tea's trajectory offers a cautionary case study. The EU Digital Services Act and UK Online Safety Act both impose obligations around user data protection, with the latter specifically addressing intimate image abuse. A platform that collects government IDs and facilitates reviews of individuals' relationship behaviour sits squarely in the regulatory crosshairs.
Tea's data breaches predated full OSA enforcement, but similar failures going forward would likely trigger Ofcom action. The regulator has signalled it will treat dating platforms as high-risk services requiring enhanced protections. Operators holding sensitive personal data without demonstrable security infrastructure face potential fines up to 10% of qualifying worldwide revenue under the OSA, with criminal liability for senior management in cases of non-compliance.
The company claims it has 'actively conducted penetration testing at the infrastructure level' and implemented expanded monitoring processes. Without independent security audits or third-party attestation, however, these assurances remain precisely that β assurances from a company whose previous security claims were contradicted by reality.
Whether users will return depends on a calculation that may be impossible to make rationally. Tea offers a service that some women clearly value, judging by its brief App Store dominance. But that service requires trusting a platform that has already exposed users' most sensitive information. The dating industry has spent the past three years trying to rebuild trust after a series of self-inflicted wounds. Tea's relaunch suggests some operators still haven't grasped how fragile that trust remains, or how completely it can shatter.
Dating platforms collecting extensive biometric and identity data face existential regulatory and liability risks under the UK Online Safety Act and EU Digital Services Act, with potential fines reaching 10% of global revenue
The industry trend towards minimal data collection and optional verification reflects hard lessons Tea has yet to learn β security theatre cannot substitute for architectural restraint
Watch for Ofcom enforcement action as the regulator has flagged dating platforms as high-risk services requiring enhanced protections, making Tea's trajectory a potential test case for regulatory teeth
