A joint investigation by the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner found that Avid Life Media, the company behind Ashley Madison, had inadequate security safeguards and policies.
According to a report from Reuters, the company is also under investigation by the U.S. Federal Trade Commission. The report looks into a breach in Avid Life Media’s data management system in July 2015, when details from approximately 36 million user accounts were published online. Two suicides in Toronto following the leak were associated with the incident.
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” said Privacy Commissioner of Canada Daniel Therrien. “Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”
The joint report identified several violations of privacy laws in both Australia and Canada. The report looked at Avid Life Media’s compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, and Australia’s Privacy Act. The biggest concern was a lack of a comprehensive privacy and security framework, Avid Life Media even went so far as to include a fake trustmark icon on its home page.
“Security measures should be documented in writing and include technological, physical, and organizational safeguards,” said Therrien. “Businesses must also assess risks, align their policies to mitigate those risks and train employees to ensure that policies are actually implemented and followed.”
The report focused on four key issues: Information security; retention and deletion of user accounts; accuracy of email addresses and transparency with users.
Main security issues identified by the report include:
– Inadequate authentication processes for employees accessing the company’s system remotely.
– ALM’s network protections included encryption on all web communications between the company and its users, however, encryption keys were stored as plain, clearly identifiable text on ALM systems. That left information encrypted using those keys at risk of unauthorized disclosure.
– Poor key and password management practices. For example, the company’s ‘shared secret’ for its remote access server was available on the ALM Google drive – meaning anyone with access to any ALM employee’s drive on any computer, anywhere, could have potentially discovered it.
– Instances of storage of passwords as plain, clearly identifiable text in emails and text files were also found on the company’s systems.
The investigation also found that the company was retaining some personal information after profiles had been deactivated or deleted by users.
Both the Canadian and Australian Commissioners issued a number of recommendations to bring the company into compliance with privacy laws, including not retaining personal information once it’s no longer required, amending its account creation process so users can sign up without an email, and conduct a comprehensive review of its processes to protect personal information.
Avid Life Media cooperated with the investigation. The company has entered into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court.
The full report can be found here.