Secrets were far from safe at Ashley Madison, probe finds
Safeguards at infidelity site were severely lacking, investigators say
“Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable.” DANIEL THERRIEN PRIVACY COMMISSIONER
Though it billed itself a place where those seeking an affair could do so undercover, an investigation by privacy officials has found cheating website Ashley Madison was far from a bastion of security in the time leading up to its high-profile data breach last year.
Ashley Madison was far less discreet and a lot more deceptive than the Torontobased company made out — going as far as to post phoney security icons on its home page, according to the investigation by privacy officials in Canada and Australia.
The agencies found that the site’s parent company, Avid Life Media (ALM), which rebranded to Ruby Corp. in July, violated a number of privacy policies in both countries, even though it was well aware of the sensitivity of the information it gathered. Safeguards, they said, were either “absent, difficult to understand or deceptive.”
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” said Canada’s privacy commissioner, Daniel Therrien, in a statement.
“Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”
The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner released the conclusions of their investigation Tuesday, a year after a highly publicized massive security hack at the website.
A group of hackers calling itself the Impact Team exposed information on more than 32 million users around the world, including financial data, sexual preferences and other identifying information, which led to some users being blackmailed. A second data dump made alleged internal company documents available to the public.
Toronto police launched a criminal investigation that remains ongoing.
The joint privacy investigation found Ashley Madison used a fake lock icon meant to convince users their information was secure and a medal labelled “trusted security award.” The company also had an inadequate process for authentication when the system was being accessed remotely, in addition to poor password management.
“Though ALM had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced,” the report said.
Parent company Ruby said Tuesday it has entered voluntary, courtenforceable agreements with both governments. It added that it cooperated with the Australian and Canadian privacy offices throughout the investigations.
“We hope that by openly speaking about the breach and our commitments to the OPC and the OAIC, we can help other organizations and business leaders who are facing increased cybersecurity challenges,” said CEO Rob Segal, who replaced the controversial company head Noel Biderman in April.
The company said it would make “significant, ongoing” investments in privacy and security in order to regain the trust of its clients. It agreed to a third-party review of its protections for personal information as well as mandatory security and privacy training for employees and to review and update its terms and conditions.
It also pledged to ensure that it doesn’t retain personal information of inactive users or those with deactivated accounts beyond an “appropriate retention period” and will either allow users to join the site without providing an email address or take actions that will enhance the accuracy of addresses provided.
The company’s promises come after it was revealed that many of the user accounts exposed were outdated, partially because the company charged those who wanted to delete their accounts and still retained their information for a year. Some of the accounts — including those for prominent politicians and celebrities — were suspected to be falsified because it was easy to sign up under any email address.