Current Conditions

Partly Cloudy

Ashley Madison had inadequate security safeguards, privacy officials say

A man looks at the Ashley Madison website in this photo illustration in Toronto on Thursday, August 20, 2015. Privacy officials in Canada and Australia have found that while Ashley Madison marketed itself as a discreet and secure service, the site for married people seeking affairs in fact had inadequate security safeguards and policies.
Image Credit: THE CANADIAN PRESS/Graeme Roy
August 24, 2016 - 7:00 AM

Ashley Madison marketed itself as a discreet and secure service, but the site for married people seeking affairs had inadequate security safeguards and policies when it was targeted by hackers, privacy officials in Canada and Australia have found.

More than a year after a massive data breach that made international headlines, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner say their investigation into Ashley Madison has identified numerous violations of the privacy laws of both countries.

In a report released Tuesday, the two agencies said there was a lack of a comprehensive privacy and security framework, even though the site's parent company knew how important it was, and even went so far as to place a fake security trustmark icon on its home page to reassure users.

"The company's use of a fictitious security trustmark meant individuals' consent was improperly obtained," Canada's privacy commissioner, Daniel Therrien, said in a statement.

Though the company did have some security measures in place, the agencies found several issues, including inadequate authentication processes for employees accessing the company's system remotely and poor key and password management practices.

In some instances, passwords were stored as plain, clearly identifiable text in emails and text files on the company's systems, the report said.

"Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information," Therrien said.

"Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation."

Last year's hack exposed the personal dealings and financial information of millions of purported clients.

Ashley Madison's parent company, Ruby Corp. — formerly known as Avid Life Media — has said the cyberattack cost it about a quarter of its annual revenue.

The company said Tuesday it has co-operated with the investigation and entered into a compliance agreement that makes the report's recommendations enforceable in court, though it does not mean Ashley Madison admits to the findings.

It vowed to take several steps to ensure better data security, including completing a comprehensive third-party review of its existing protections by the end of this year — a process the company said is already underway.

Ruby Corp. also committed to further boosting and documenting its information security framework by May 31 of next year, and said mandatory security and privacy training for employees has already been implemented.

The recommendations the company agreed to also include rules about the retention of personal information, which call for Ruby Corp. to cease holding on indefinitely to the information of users whose accounts are deactivated, inactive or deleted by March 31 of next year.

It must also continue to allow users to request the deletion of their account profile information at no cost, an option the company said it has offered since last September.

"The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term," the company's CEO, Rob Segal, said in a statement.

News from © The Canadian Press, 2016
The Canadian Press

  • Popular kamloops News
  • Comments
  • Murder victim found in Kelowna orchard identified
    KELOWNA - The identity of the woman whose body was found in a Kelowna orchard last week has been made public on social media. Kelowna resident Russia Katalina Nicholson was just 23-years-old
  • Nasty weather forecast for Thompson, Shuswap tomorrow
    THOMPSON-SHUSWAP - The Thompson and Shuswap could be in for some blustery weather tomorrow by midday. Environment Canada has issued a special weather statement warning of strong wind gusts a
  • Westsyde residents face uphill battle to bring Timmies to neighbourhood
    KAMLOOPS - It took just six days for 1,242 Westsyde residents to sign a petition calling for Tim Hortons to consider allowing a franchisee to open up shop at the corner of Westsyde Road and Overla
  • UPDATE: Missing Kamloops teen located
    UPDATE: 5:06 a.m. Monday, Oct. 16, 2017 KAMLOOPS - RCMP say a missing 18-year-old girl has been located. All personal information about the missing person has been removed from this
  • Vernon home 'known to police' shot up Sunday morning
    VERNON - Police say a burned out vehicle is related to a nearby incident where shots were fired at a Vernon home that is 'known to police' early Sunday morning.  Vernon RCMP sai
View Site in: Desktop | Mobile