Local Community Advertising
A joint investigation into the website Ashley Madison following a massive data breach has concluded and found that the company violated privacy laws.
The website marketed itself as a “100% discreet service” for people seeking to have an affair and according to officials, it bolstered that claim with a fabricated security trust mark. But following the investigation by the Privacy Commission of Canada, the company had inadequate security safeguards and policies.
"Where data is highly sensitive and attractive to criminals, the risk is even greater,” said privacy commissioner Daniel Therrien. “Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation."
The investigation following the breach of Toronto-based Avid Life Media (ALM) Inc.'s computer network was conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner and identified numerous violations of the privacy laws of both countries.
The investigation found that the company, which recently rebranded as Ruby Corp., was clearly aware of the importance of discretion and security, so much so that they placed a phoney trust mark icon on its home page to reassure users. But there was a lack of comprehensive privacy and security framework.
The breach of ALM's data management system came to light in July 2015. After the breach, files taken from the ALM corporate network and Ashley Madison database – including details from approximately 36 million user accounts – were published online.
The investigation found that certain information security safeguards were insufficient or absent and the company fell short when it came to implementing security measures.
- There were inadequate authentication processes for employees accessing the company's system remotely.
- ALM's network protections included encryption on all web communications between the company and its users, however, encryption keys were stored as plain, clearly identifiable text on ALM systems. That left information encrypted using those keys at risk of unauthorized disclosure.
- ALM had poor key and password management practices. For example, the company's 'shared secret' for its remote access server was available on the ALM Google drive – meaning anyone with access to any ALM employee's drive on any computer, anywhere, could have potentially discovered it.
- Instances of storage of passwords as plain, clearly identifiable text in emails and text files were also found on the company's systems.
“With respect to the retention and deletion of customer information, the investigation found the company was inappropriately retaining some personal information after profiles had been deactivated or deleted by users,” said the privacy commissioner in a statement.
“The investigation also found the company failed to adequately ensure the accuracy of customer email addresses it held – an issue that resulted in the email addresses of people who had never actually signed up for Ashley Madison being included in the databases published online following the breach. This issue raised particular concerns given that, for both users and non-users, any association with a site such as Ashley Madison could cause serious reputational harm.
“Finally, with respect to transparency, investigators found that at the time of the breach, the home page of the Ashley Madison website included various trust marks suggesting a high level of security, including a medal icon labelled ‘trusted security award.’ ALM officials later admitted the trust mark was their own fabrication and removed it.”
The company’s use of a fictitious security trust mark meant that individuals’ consent was improperly obtained by the company.
Local Community Advertising