Advertisement

Ashley Madison broke Canadian privacy laws with ‘deceptive’ security practices: Privacy czar

Officials found that while Ashley Madison marketed itself as a “discreet and secure” service, the website had inadequate security safeguards and policies – including the lack of a comprehensive privacy and security framework.
Officials found that while Ashley Madison marketed itself as a “discreet and secure” service, the website had inadequate security safeguards and policies – including the lack of a comprehensive privacy and security framework. GETTY IMAGES

More than a year after a massive data breach exposed some 32 million Ashley Madison users, Canada’s privacy commissioner has released a report slamming the company’s security practices.

The investigation – conducted by the Office of the Privacy Commissioner of Canada and the Office of the Australia Information Commissioner – found that the Toronto-based parent company of the affair-facilitating website, Avid Life Media, broke multiple privacy laws in both countries.

READ MORE: Infidelity website Ashley Madison faces FTC investigation, new CEO says ‘sorry’

Officials found that while Ashley Madison marketed itself as a “discreet and secure” service, the website had inadequate security safeguards and policies – including the lack of a comprehensive privacy and security framework.

Despite this, the company went as far as to put a fake security award logo on its website to assure users the site was safe.

Story continues below advertisement

“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” said Canada’s Privacy Commissioner Daniel Therrien.

“Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”

READ MORE: Will the Ashley Madison hack force us to take online privacy more seriously?

WATCH: Why investigators asked for help from hackers to investigate the Ashley Madison hack

Last August, hackers broke into Avid Life Media’s – now known as Ruby Corp – systems and released a treasure trove of user data from the website, containing account details and log-ins for some 32 million users.

The hack ultimately cost Ruby Corp. more than a quarter of its revenue.

Although Ashley Madison did have some security measures in place, the report found several issues including inadequate authentication processes for employees accessing the company’s system remotely and poor key and password management practices.

Because the investigation found that Ruby Corp. violated privacy laws in both Canada and Australia, both commissioners issued a number of recommendations aimed bringing the company back into compliance with privacy laws.

Story continues below advertisement

“The company agreed to demonstrate its commitment to addressing those privacy concerns by entering into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court,” Tobi Cohen, spokesperson with the office of the privacy commissioner, told Global News Tuesday.

“The company has hired a security consultant to help improve its security practices. As well, [Ruby Corp.] has already taken steps to improve security practices, such as adopting multi-factor authentication for remote administrative access by employees to its network, and completing information security training of employees.”

Canada’s privacy commissioner does not have order-making powers and cannot impose fines or penalties on companies who break privacy laws.

READ MORE: Ashley Madison users continue to receive blackmail months after hack

“We hope that by openly speaking about the breach and our commitments to the OPC and the OAIC, we can help other organizations and business leaders who are facing increased cyber security challenges,” said Rob Segal, CEO of Ruby.

“The company has co-operated with the commissioners throughout their investigation and will continue to share information with them as we honour the terms of the compliance agreement and enforceable undertaking.”