OTTAWA-The parent company of infidelity dating website Ashley Madison was responsible for numerous violations of privacy laws at the time of a massive release of customer data in a cyber attack a year ago, privacy watchdogs in Canada and Australia said on Tuesday, Aug. 23.
Advertisement
The investigation – conducted by the Office of the Privacy Commissioner of Canada and the Office of the Australia Information Commissioner – found that the Toronto-based parent company of the affair-facilitating website, Avid Life Media, broke multiple privacy laws in both countries.
In August past year, hackers followed through on a threat to publish the details of about 36 million Ashley Madison user accounts, including those of about 670,000 Australians.
The Office of the Australian Information Commissioner has published the findings of a joint review with its Canadian counterparts, claiming it has the power to use the Australian Privacy Act against the overseas entity because the personal information of Australians was caught up in the high-profile breach.
“Where data is highly sensitive and attractive to criminals, the risk is even greater”.
They also looked at ALM’s practice not to confirm the accuracy of users’ email addresses and its transparency over handling of personal information.
For example, there were inadequate authentication processes for employees accessing the company’s system remotely; ALM’s network protections included encryption on all web communications between the company and its users, however, encryption keys were stored as plain, clearly identifiable text on ALM systems.
The company, which rebooted under new leadership as an “open-minded dating” service last month, has agreed to bring its systems into compliance.
The site fell short of the “reasonable steps” to steps to secure personal information demanded by the Australian Privacy Act, with no discernible intrusion monitoring system in place to detect unusual activity. “Businesses must also assess risks, align their policies to mitigate those risks and train employees to ensure that policies are actually implemented and followed”.
It’s never a good sign when a website markets itself with a phony security award. ALM officials later admitted the trustmark was their own fabrication and removed it. Ashley Madison promised users discreet hookups with other married individuals, under the tagline “Life is short”.
Under Canadian and Australian privacy laws, no website should be able to keep user information indefinitely when the account has been deactivated, the investigators said.
Advertisement
“The company has cooperated with the commissioners throughout their investigation and will continue to share information with them as we honour the terms of the compliance agreement and enforceable undertaking”, said Rob Segal, the company’s chief executive.
