Ashley Madison marketed itself as a discreet and secure service, but the site for married people seeking affairs had inadequate security safeguards and policies when it was targeted by hackers, privacy officials in Canada and Australia have found.
More than a year after a massive data breach that made international headlines, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner say their investigation into Ashley Madison has identified numerous violations of the privacy laws of both countries.
In a report released Tuesday, the two agencies said there was a lack of a comprehensive privacy and security framework, even though the site's parent company knew how important it was, and even went so far as to place a fake security trustmark icon on its home page to reassure users.
"The company's use of a fictitious security trustmark meant individuals' consent was improperly obtained," Canada's privacy commissioner, Daniel Therrien, said in a statement.
Though the company did have some security measures in place, the agencies found several issues, including inadequate authentication processes for employees accessing the company's system remotely and poor key and password management practices.
In some instances, passwords were stored as plain, clearly identifiable text in emails and text files on the company's systems, the report said.
"Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information," Therrien said.
"Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation."
Last year's hack exposed the personal dealings and financial information of millions of purported clients.
Ashley Madison's parent company, Ruby Corp. — formerly known as Avid Life Media — has said the cyberattack cost it about a quarter of its annual revenue.
The company said Tuesday it has co-operated with the investigation and entered into a compliance agreement that makes the report's recommendations enforceable in court, though it does not mean Ashley Madison admits to the findings.
It vowed to take several steps to ensure better data security, including completing a comprehensive third-party review of its existing protections by the end of this year — a process the company said is already underway.
Ruby Corp. also committed to further boosting and documenting its information security framework by May 31 of next year, and said mandatory security and privacy training for employees has already been implemented.
The recommendations the company agreed to also include rules about the retention of personal information, which call for Ruby Corp. to cease holding on indefinitely to the information of users whose accounts are deactivated, inactive or deleted by March 31 of next year.
It must also continue to allow users to request the deletion of their account profile information at no cost, an option the company said it has offered since last September.
"The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term," the company's CEO, Rob Segal, said in a statement.