Probe finds lax security, deception on cheater site
Ashley Madison put fake award online — an ‘exceptional’ deception
Cheating website Ashley Madison failed to safeguard its members’ personal information and posted a fictitious security award on its home page, a joint investigation by Canadian and Australian privacy commissioners has found.
The two privacy agencies released Tuesday the findings of a yearlong probe into security practices at the Toronto-based company that owns Ashley Madison, launched after hackers dumped information from 36 million user profiles online in the summer of 2015. Putting a fake security award on Ashley Madison’s home page was an “exceptional” deception, but other security deficiencies the investigation found are far from unique to the company, Canadian privacy commissioner Daniel Therrien said in an interview.
“Ashley Madison admitted to us these trust marks were completely fictitious. They made them up. Clearly, that was a serious misrepresentation in trying to get membership,” Therrien said. “But in terms of general security practices, what we found is not at all exceptional or unusual.”
In a release, Ashley Madison parent company ruby Corp. — intentionally lowercase and formerly known as Avid Life Media Inc. — said it has agreed to comply with the investigation’s recommendations. If the Office of the Privacy Commissioner finds ruby has failed to do so by the deadlines set out in the report, it can take the company to court.
“The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses,” said chief executive Rob Segal in the release. “These investments are the cornerstone of rebuilding consumer trust over the long-term.”
In addition to the fake security award — which Ashley Madison has removed from its website — the report found a long list of lax security practices at ruby. The company had poor password management procedures, held onto personal information from inactive and deactivated accounts for too long and lacked a written, comprehensive privacy and security policy, the report found.
According to the terms of the compliance agreement, ruby must complete a third-party review of its personal information protections; update its policies on retaining personal information in inactive and deleted accounts; and re-think its email verification practices to prevent people from signing up under someone else’s name, potentially damaging that person’s reputation in the event of a data breach.
Therrien said ruby was co-operative during the investigation, granting the privacy agencies access to systems and letting them visit the office five times. However, given ruby’s past willingness to trick members into thinking the site was more secure than it actually was, he said he would be keeping a close eye on compliance.
“The company in the past has used deceptive practices,” Therrien said. “They have co-operated with us in the course of the investigation, but we will be sure to look very closely at how they improve things before we agree with the fact they had complied with the agreement.”
Michael Crystal, a class-action lawyer at Spiteri & Ursulak LLP who specializes in privacy and data breaches, said the report will form an important precedent, laying out what Canada expects from companies that are stewards of digital personal information. He said he sees attitudes on the importance of cybersecurity finally starting to change in the corporate world following a constant barrage of headlines about data breaches.
“This type of document sends a strong message,” he said. “These corporate entities that are making a good deal of money from our information have a matching responsibility to protect it.”
Proposed class-action lawsuits filed by Ashley Madison members whose personal information was exposed in the hack continue to make their way through the courts.
Toronto Police and the Federal Bureau of Investigation announced a joint investigation into the person or group who hacked the company last year, but no charges have been laid.