A new investigation into the Ashley Madison data breach has been “highly critical” of the dating site’s security practices.
The report, by Australian Privacy Commissioner Timothy Pilgrim and the Privacy Commissioner of Canada, Daniel Therrien, found that the Canadian site’s defences were not up to standard, and were partly responsible for the hack.
The investigation, which opened in August 2015, looked into the dating site’s privacy and personal data security practices, and includes court-enforceable commitments by Ashley Madison’s parent company, Avid Life Media.
It also looked at its practices around keeping customer data after profiles were deactivated, charging to “fully delete” profiles, its transparency over the handling of personal information, as well as not confirming the accuracy of user email addresses.
Commissioners Pilgrim and Therrien said: “The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information.
“This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security. The report offers important lessons to any businesses relying on personal information as part of their business model.”
The first ever joint Australian-Canadian privacy investigation also criticised Ashley Madison’s trust-marks on the website that “suggested a high level of security and discretion”, indicating the site was SSL secure and offered a 100% discreet service.
As the report says: “the trust-mark and the level of security it represented, could have been material to [users’] decision whether or not to use the site.”
In terms of its “full delete” option, the report said it was “not reasonable” that user details were kept indefinitely.
The investigation report said: “The figures provided by ALM indicated that vast majority of users who reactivated their accounts did so after an extremely short period of time (99.9% within 29 days), and most chargeback requests from credit card providers were received within 12 months. These figures did not provide any justification for indefinite retention.”
The commissioners have detailed a number of actions and improvements that ALM needed to take to address the issues, and in response ALM has offered binding commitments to improve its personal information practices and governance.
Pilgrim and Therrien said: “While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best run companies.
“The lesson for consumers is to make informed choices about providing personal information and to take privacy into their own hands. Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is ‘breach-proof’.”