Notorious dating site Ashley Madison marketed itself as a “100% discreet service” for people seeking to have affairs and went so far as to bolsterthat claim with a fabricated security trustmark.
However, the Canadian company behind the website had inadequate security safeguards and policies, an investigation following a massive data breach has concluded.
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” says Privacy Commissioner of Canada Daniel Therrien. “Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable.”
The investigation following the breach of Toronto-based Avid Life Media Inc.’s computer network was conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner and identified numerous violations of the privacy laws of both countries.
Chief among the concerns identified was the lack of a comprehensive privacy and security framework, even though Avid Life Media (recently rebranded as Ruby Corp.) was clearly aware of the importance of discretion and security.
The breach of ALM’s data management system came to light in July 2015. After the breach, files taken from the ALM corporate network and Ashley Madison database — including details from approximately 36 million user accounts — were published online.
The investigation found that certain information security safeguards were insufficient or absent and, although ALM did have some personal information security protections in place, the company fell short when it came to implementing those security measures. For examples, there were inadequate authentication processes for employees accessing the company’s system remotely; ALM had poor key and password management practices; and instances of storage of passwords as plain, clearly identifiable text in emails and text files were also found on the company’s systems.
“Security measures should be documented in writing and include technological, physical and organizational safeguards,” says Commissioner Therrien. “Businesses must also assess risks, align their policies to mitigate those risks and train employees to ensure that policies are actually implemented and followed.”
The investigation also found the company was inappropriately retaining some personal information after profiles had been deactivated or deleted by users, and failed to adequately ensure the accuracy of customer email addresses it held.
Furthermore, the home page of the Ashley Madison website included various trustmarks suggesting a high level of security, including a medal icon labelled “trusted security award.” ALM officials later admitted the trustmark was their own fabrication and removed it.
“The company’s use of a fictitious security trustmark meant individuals’ consent was improperly obtained,” Commissioner Therrien says.
The company cooperated with the investigation and agreed to demonstrate its commitment to addressing privacy concerns by entering into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court.