More than a year after a massive data breach exposed some 32 million Ashley Madison users, Canada’s privacy commissioner has released a report slamming the company’s security practices.
The investigation – conducted by the Office of the Privacy Commissioner of Canada and the Office of the Australia Information Commissioner – found that the Toronto-based parent company of the affair-facilitating website, Avid Life Media, broke multiple privacy laws in both countries.
Officials found that while Ashley Madison marketed itself as a “discreet and secure” service, the website had inadequate security safeguards and policies – including the lack of a comprehensive privacy and security framework.
Despite this, the company went as far as to put a fake security award logo on its website to assure users the site was safe.
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” said Canada’s Privacy Commissioner Daniel Therrien.
“Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”
WATCH: Why investigators asked for help from hackers to investigate the Ashley Madison hack
Last August, hackers broke into Avid Life Media’s – now known as Ruby Corp – systems and released a treasure trove of user data from the website, containing account details and log-ins for some 32 million users.
The hack ultimately cost Ruby Corp. more than a quarter of its revenue.
Although Ashley Madison did have some security measures in place, the report found several issues including inadequate authentication processes for employees accessing the company’s system remotely and poor key and password management practices.
Because the investigation found that Ruby Corp. violated privacy laws in both Canada and Australia, both commissioners issued a number of recommendations aimed bringing the company back into compliance with privacy laws.
“The company agreed to demonstrate its commitment to addressing those privacy concerns by entering into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court,” Tobi Cohen, spokesperson with the office of the privacy commissioner, told Global News Tuesday.
Canada’s privacy commissioner does not have order-making powers and cannot impose fines or penalties on companies who break privacy laws.
“We hope that by openly speaking about the breach and our commitments to the OPC and the OAIC, we can help other organizations and business leaders who are facing increased cyber security challenges,” said Rob Segal, CEO of Ruby.
“The company has co-operated with the commissioners throughout their investigation and will continue to share information with them as we honour the terms of the compliance agreement and enforceable undertaking.”