TORONTO — Privacy officials in Canada and Australia have found that cheating website Ashley Madison had inadequate security safeguards and policies despite marketing itself as a discreet and secure service
More than a year after a massive data breach at the website for married people seeking affairs that made international headlines, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner said Tuesday that their investigation into Ashley Madison had identified numerous violations of both countries’ privacy laws.
The two agencies said in a report that Ashley Madison lacked a comprehensive privacy and security framework, even though the site’s parent company, Avid Life Media Inc., knew how important that was, and even went so far as to place a fake security trust mark icon on its home page to reassure users.
Hackers originally breached Avid Life’s systems in July 2015 and then posted the information online a month later after the company didn’t comply with their demands to shut down Ashley Madison.
The company’s use of a fictitious security trust mark meant individuals’ consent was improperly obtained,” Canada’s privacy commissioner, Daniel Therrien, said in a statement.
Though the company did have some security measures in place, the agencies found several issues, including inadequate authentication processes for employees accessing the company’s system remotely and poor key and password management practices.
In some instances, passwords were stored as plain, clearly identifiable text in emails and text files on the company’s systems, the report said.
Last year’s hack exposed the personal dealings and financial information of millions of purported clients.
Ashley Madison’s parent company, now rebranded with a new name Ruby Corp., has said the cyberattack cost it about a quarter of its annual revenue. The company said Tuesday that it has co-operated with the investigation and entered into a compliance agreement that makes the report’s recommendations enforceable in court, although it does not mean Ashley Madison admits to the findings. It vowed to take several steps to ensure better data security.