DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ashley Madison investigation by Canada and Australia results in compliance agreement

Posted on August 23, 2016 by Dissent

Ashley Madison marketed itself as a “100% discreet service” for people seeking to have affairs — and bolstered that claim with a fabricated security trustmark — but the company behind the website had inadequate security safeguards and policies, an investigation following a massive data breach has concluded.

“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” says Privacy Commissioner of Canada Daniel Therrien.

“Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”

The investigation following the breach of Toronto-based Avid Life Media Inc.’s computer network was conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner and identified numerous violations of the privacy laws of both countries.

Chief among the concerns identified was the lack of a comprehensive privacy and security framework — even though Avid Life Media (ALM — recently rebranded as Ruby Corp.) was clearly aware of the importance of discretion and security. The company went so far as to place a phoney trustmark icon on its home page to reassure users.

The breach of ALM’s data management system came to light in July 2015. After the breach, files taken from the ALM corporate network and Ashley Madison database — including details from approximately 36 million user accounts — were published online.

The investigation, which examined ALM’s compliance with both the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law and Australia’s Privacy Act, focused on four key issues: Information security; retention and deletion of user accounts; accuracy of email addresses and transparency with users.

The investigation found that certain information security safeguards were insufficient or absent and, although ALM did have some personal information security protections in place, the company fell short when it came to implementing those security measures. For example:

  • There were inadequate authentication processes for employees accessing the company’s system remotely.
  • ALM’s network protections included encryption on all web communications between the company and its users, however, encryption keys were stored as plain, clearly identifiable text on ALM systems. That left information encrypted using those keys at risk of unauthorized disclosure.
  • ALM had poor key and password management practices. For example, the company’s ‘shared secret’ for its remote access server was available on the ALM Google drive — meaning anyone with access to any ALM employee’s drive on any computer, anywhere, could have potentially discovered it.
  • Instances of storage of passwords as plain, clearly identifiable text in emails and text files were also found on the company’s systems.

“Security measures should be documented in writing and include technological, physical and organizational safeguards,” says Commissioner Therrien. “Businesses must also assess risks, align their policies to mitigate those risks and train employees to ensure that policies are actually implemented and followed.”

With respect to the retention and deletion of customer information, the investigation found the company was inappropriately retaining some personal information after profiles had been deactivated or deleted by users.

The investigation also found the company failed to adequately ensure the accuracy of customer email addresses it held — an issue that resulted in the email addresses of people who had never actually signed up for Ashley Madison being included in the databases published online following the breach. This issue raised particular concerns given that, for both users and non-users, any association with a site such as Ashley Madison could cause serious reputational harm.

Finally, with respect to transparency, investigators found that at the time of the breach, the home page of the Ashley Madison website included various trustmarks suggesting a high level of security, including a medal icon labelled “trusted security award.” ALM officials later admitted the trustmark was their own fabrication and removed it.

“The company’s use of a fictitious security trustmark meant individuals’ consent was improperly obtained,” Commissioner Therrien says.

Both the Canadian and Australian Commissioners issued a number of recommendations aimed at bringing the company into compliance with privacy laws in a timely fashion.

The company cooperated with the investigation and agreed to demonstrate its commitment to addressing privacy concerns by entering into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court.

SOURCE: Office of the Privacy Commissioner of Canada

Related Documents:

  • PIPEDA Report: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner
  • Ashley Madison Investigation – Takeaways for all Organizations
  • Compliance Agreement Between: The Privacy Commissioner of Canada and Avid Life Media Inc. (Ruby Corp.)
Category: Business SectorCommentaries and AnalysesNon-U.S.Of Note

Post navigation

← Has your internet provider been compromised? Malicious insiders are helping cybercriminals hack telecoms firms
Ca: Hospital snoopers receive fines, community service for ‘massive criminal scheme’ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.