Cheating website had poor safeguards: privacy officials
Ashley Madison marketed itself as a discreet and secure service, but the site for married people seeking affairs had inadequate security safeguards and policies when it was targeted by hackers, privacy officials in Canada and Australia have found.
More than a year after a massive data breach that made international headlines, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner say their investigation into Ashley Madison has identified numerous violations of the privacy laws of both countries.
In a report, the two agencies said there was a lack of a comprehensive privacy and security framework, even though the site’s parent company knew how important it was, and even went so far as to place a fake security trustmark icon on its home page to reassure users.
“The company’s use of a fictitious security trustmark meant individuals’ consent was improperly obtained,” said Canada’s privacy commissioner, Daniel Therrien.
Though the company did have some security measures in place, the agencies found several issues, including inadequate authentication processes for employees accessing the company’s system remotely and poor key and password management practices. In some instances, passwords were stored as plain, clearly identifiable text in emails and text files on the company’s systems, the report said.
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” Therrien said. “Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”
Last year’s hack exposed the personal dealings and financial information of millions of purported clients.
Ashley Madison’s parent company, Ruby Corp. — formerly known as Avid Life Media — has said the cyberattack cost it about a quarter of its annual revenue.
The company said Tuesday it has cooperated with the investigation and entered into a compliance agreement that makes the report’s recommendations enforceable in court, though it does not mean Ashley Madison admits to the findings.
It vowed to take several steps to ensure better data security, including completing a third-party review of its existing protections by the end of this year — a process the company said is already underway.
Ruby Corp. also committed to further boosting and documenting its information security framework by May 31, and said mandatory security and privacy training for employees has been implemented.