Australia's privacy commissioner has condemned the security posture of the owner of adultery website Ashley Madison, after a year-long investigation into the breach.
A hacking group called Impact Team revealed it had breached websites run by Avid Life Media last July, with the hackers stealing details on 36 million users then releasing a trove of embarrassing information in August. Ashley Madison promised users discreet hookups with other married individuals, under the tagline "Life is short. Have an affair".
Following a joint investigation by the Office of the Australian Information Commissioner's (OAIC) Timothy Pilgrim and Daniel Therrien, the privacy commissioner of Canada – where Avid Life Media is headquartered – the two offices have released joint findings that are "highly critical of the dating website’s privacy and personal data security practices".
Pilgrim said: "The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information.
“This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security. The report offers important lessons to any businesses relying on personal information as part of their business model.”
The report identifies numerous actions and improvements for Avid Life Media to address the issues identified through the investigation to which the Ashley Madison has offered binding commitments to the Australian and Canadian commissioner, which are court enforceable.
Pilgrim noted that the report highlights an important lesson for all users of online services. “While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best run companies. The lesson for consumers is to make informed choices about providing personal information and to take privacy into their own hands. Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is ‘breach-proof’.”
Avid Life Media's enforceable undertakings include:
- Conducting a comprehensive review of the protections Avid Life Media has in place to protect personal information.
- Updating to the company's information security framework and taking steps to ensure employees follow security procedures.
- Ceasing its practice of retaining indefinitely personal information of users whose accounts are deactivated or inactive, and ensuring it does not hold personal information beyond the retention period.
- Providing a no-cost option for individuals to withdraw their consent for ALM to hold their account profile information.
- Allowing users to join the website without providing an email address, or if it continues to require email addresses from new users, implement technical measures to enhance the accuracy of email addresses provided.