Security deficiencies at Ashley Madison: probe
Cheating website Ashley Madison failed to safeguard its members’ personal information and posted a fictitious security award on its home page, a joint investigation by Canadian and Australian privacy commissioners has found.
The two privacy agencies released Tuesday the findings of a yearlong probe into security practices at the Toronto-based company that owns Ashley Madison, launched after hackers dumped information from 36 million user profiles online in the summer of 2015. Putting a fake security award on Ashley Madison’s home page was an “exceptional” deception, but other security deficiencies the investigation found are far from unique to the company, Canadian privacy commissioner Daniel Therrien said in an interview.
“Ashley Madison admitted to us these trust marks were completely fictitious. They made them up. Clearly, that was a serious misrepresentation in trying to get membership,” Therrien said. “But in terms of general security practices, what we found is not at all exceptional or unusual.”
In a release, Ashley Madison parent company ruby Corp. — intentionally lowercase and formerly known as Avid Life Media Inc. — said it has agreed to comply with the investigation’s recommendations. If the Office of the Privacy Commissioner finds ruby has failed to do so by the deadlines set out in the report, it can take the company to court.
“The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses,” said chief executive Rob Segal in the release. “These investments are the cornerstone of rebuilding consumer trust over the long term.”
In addition to the fake security award — which Ashley Madison has removed from its website — the report found a long list of lax security practices at ruby. The company had poor password management procedures, held onto personal information from inactive and deactivated accounts for too long and lacked a written, comprehensive privacy and security policy, the report found.
According to the terms of the compliance agreement, ruby must complete a third-party review of its personal information protections; update its policies on retaining personal information in inactive and deleted accounts; and re-think its email verification practices to prevent people from signing up under someone else’s name, potentially damaging that person’s reputation in the event of a data breach.