Canadian adultery website, Ashley Madison, used a fake “trusted security award” medal icon on its homepage, and engaged in deceptive or confusing privacy practices, according to a joint investigation by Australian and Canadian privacy authorities.
The website, which is known for promoting and facilitating adultery, was the target of an attack last year that led to a data breach exposing the personal data of 36 million users worldwide, including hundreds of thousands of Australians.
The data included users’ email addresses and credit card details, as well as other information, such as sexual fantasies.
According to a report of the joint investigation conducted by the Office of the Australian Privacy Commissioner (OAIC) and the Office of the Privacy Commissioner of Canada (OPC), Ashley Madison parent company, Avid Life Media (ALM), had inadequate information security facilities in place for users.
“Although ALM had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security,” stated the report. “Certain security safeguards in some areas were insufficient or absent at the time of the data breach.
“It is not sufficient for an organisation such as ALM, or any organisation that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework,” it said.
Of note was the ‘trusted security award’ icon on the site’s homepage that, according to the report, ALM confirmed was “simply their own fabrication rather than a validated designation by any third party”.
The investigation report also states that there were issues with the way Ashley Madison held users’ information. Specifically, ALM retained users’ information after profiles had been deactivated or deleted.
According to the investigators, under Canadian and Australian law, no website should be able to keep user information indefinitely after an account has been deactivated.
The investigation also found that it took exception to ALM’s practice of charging users to ‘fully delete’ their profiles, did not confirm the accuracy of user email addresses before collecting or using them, and had inadequate transparency around its personal information handling practices.
According to Australian Privacy Commissioner, Timothy Pilgrim, the findings of the joint investigation – the first of its kind – revealed the risk to businesses face when they don’t have a dedicated risk management process in place to protect personal information.
“This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security,” Pilgrim said.
“The report offers important lessons to any businesses relying on personal information as part of their business model.”