Ashley Madison marketed itself as a “100% discreet service” for people seeking to have affairs — and bolstered that claim with a fabricated security trustmark — but the company behind the website had inadequate security safeguards and policies, an investigation following a massive data breach has concluded.
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” says Privacy Commissioner of Canada Daniel Therrien.
“Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”
The investigation following the breach of Toronto-based Avid Life Media Inc.’s computer network was conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner and identified numerous violations of the privacy laws of both countries.
Chief among the concerns identified was the lack of a comprehensive privacy and security framework — even though Avid Life Media (ALM — recently rebranded as Ruby Corp.) was clearly aware of the importance of discretion and security. The company went so far as to place a phoney trustmark icon on its home page to reassure users.
The breach of ALM’s data management system came to light in July 2015. After the breach, files taken from the ALM corporate network and Ashley Madison database — including details from approximately 36 million user accounts — were published online.
The investigation, which examined ALM’s compliance with both the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law and Australia’s Privacy Act, focused on four key issues: Information security; retention and deletion of user accounts; accuracy of email addresses and transparency with users.
The investigation found that certain information security safeguards were insufficient or absent and, although ALM did have some personal information security protections in place, the company fell short when it came to implementing those security measures. For example:
- There were inadequate authentication processes for employees accessing the company’s system remotely.
- ALM’s network protections included encryption on all web communications between the company and its users, however, encryption keys were stored as plain, clearly identifiable text on ALM systems. That left information encrypted using those keys at risk of unauthorized disclosure.
- ALM had poor key and password management practices. For example, the company’s ‘shared secret’ for its remote access server was available on the ALM Google drive — meaning anyone with access to any ALM employee’s drive on any computer, anywhere, could have potentially discovered it.
- Instances of storage of passwords as plain, clearly identifiable text in emails and text files were also found on the company’s systems.
“Security measures should be documented in writing and include technological, physical and organizational safeguards,” says Commissioner Therrien. “Businesses must also assess risks, align their policies to mitigate those risks and train employees to ensure that policies are actually implemented and followed.”
With respect to the retention and deletion of customer information, the investigation found the company was inappropriately retaining some personal information after profiles had been deactivated or deleted by users.
The investigation also found the company failed to adequately ensure the accuracy of customer email addresses it held — an issue that resulted in the email addresses of people who had never actually signed up for Ashley Madison being included in the databases published online following the breach. This issue raised particular concerns given that, for both users and non-users, any association with a site such as Ashley Madison could cause serious reputational harm.
Finally, with respect to transparency, investigators found that at the time of the breach, the home page of the Ashley Madison website included various trustmarks suggesting a high level of security, including a medal icon labelled “trusted security award.” ALM officials later admitted the trustmark was their own fabrication and removed it.
“The company’s use of a fictitious security trustmark meant individuals’ consent was improperly obtained,” Commissioner Therrien says.
Both the Canadian and Australian Commissioners issued a number of recommendations aimed at bringing the company into compliance with privacy laws in a timely fashion.
The company cooperated with the investigation and agreed to demonstrate its commitment to addressing privacy concerns by entering into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court.
SOURCE: Office of the Privacy Commissioner of Canada
Related Documents:
- PIPEDA Report: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner
- Ashley Madison Investigation – Takeaways for all Organizations
- Compliance Agreement Between: The Privacy Commissioner of Canada and Avid Life Media Inc. (Ruby Corp.)