Ashley Madison not as Discreet, a lot More Deceptive than it Said, Probe Finds
Though it billed itself a place where those seeking an affair could do so undercover, an investigation by privacy officials has found cheating website Ashley Madison was far from a bastion of security in the time leading up to its high-profile data breach last year.
Ashley Madison was far less discreet and a lot more deceptive than the Toronto-based affair facilitator made out — going so far as to post phoney security icons on its home page, according to the investigation by privacy officials in Canada and Australia.
The agencies found the site’s parent company, Avid Life Media (ALM), which rebranded to Ruby Corp. in July, violated a number of privacy policies in both countries, even though it was well aware of the sensitivity of the information it gathered.
Safeguards, they said, were either “absent, difficult to understand or deceptive.”
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” said Canada’s privacy commissioner, Daniel Therrien, in a statement.
“Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”
The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner released the conclusions of their investigation Tuesday, a year after a highly-publicized massive security hack at the website.
A group of hackers calling itself the Impact Team exposed information on more than 32 million users around the world, including financial data, sexual preferences and other identifying information, which led to some users being blackmailed. A second data dump made alleged internal company documents available to the public.
Toronto police launched a criminal investigation that remains ongoing.
The joint privacy investigation found Ashley Madison used a fake lock icon meant to convince users their information was secure and a medal labelled “trusted security award.” The company also had an inadequate process for authentication when the system was being accessed remotely, in addition to poor password management.
“Though ALM had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced,” the report said.
Parent company Ruby said Tuesday it has entered voluntary, court-enforceable agreements with both governments. It added that it co-operated with the Australian and Canadian privacy offices throughout the investigations.
“We hope that by openly speaking about the breach and our commitments to the OPC and the OAIC, we can help other organizations and business leaders who are facing increased cybersecurity challenges,” said CEO Rob Segal, who replaced the controversial company head Noel Biderman in April.
The company said it would make “significant, ongoing” investments in privacy and security in order to regain the trust of its clients. It agreed to a third-party review of its protections for personal information as well as mandatory security and privacy training for employees and to review and update its terms and conditions.
It also pledged to ensure that it doesn’t retain personal information of inactive users or those with deactivated accounts beyond an “appropriate retention period” and will either allow users to join the site without providing an email address or take actions that will enhance the accuracy addresses provided.
The company’s promises come after it was revealed that many of the user accounts exposed were outdated, partially because the company charged those who wanted to delete their accounts and still retained their information for a year. Some of the accounts — including those for prominent politicians and celebrities — were suspected to be falsified because it was easy to sign up under any email address.
The cyber attack destroyed one of the brand’s keystones — discretion — so badly that it wiped out a quarter of its annual revenues. The company also shelved a planned IPO after the hacking affair.
The revelations from the investigation, especially the fact that the company engaged in practices that were actually deceptive, could spark further lawsuits or criminal charges, said Ann Cavoukian, a three-term Ontario privacy commissioner and executive director of the Privacy and Big Data Institute at Ryerson University.
She questions how users would still visit the site after the latest findings.
“Personally, I can’t believe that anyone would go to use this service anymore given the absence of security and policy and of trust,” she said.
“How can you trust a company that faked its security and privacy offerings?”