Ashley Madison dating website parent broke privacy laws

Infidelity dating website hacked last year found to have inadequate safeguards

Ashley Madison dating website:  a joint investigation by the offices of the Australian and Canadian privacy commissioners has concluded that Avid Life Media, which operates the website, “had inadequate security safeguards and policies” in place prior to a July 2015 hack. Photograph: Philippe Lopez/AFP/Getty
Ashley Madison dating website: a joint investigation by the offices of the Australian and Canadian privacy commissioners has concluded that Avid Life Media, which operates the website, “had inadequate security safeguards and policies” in place prior to a July 2015 hack. Photograph: Philippe Lopez/AFP/Getty

The parent company of infidelity dating website Ashley Madison was responsible for numerous violations of privacy laws at the time of a massive release of customer data in a cyber attack last year, privacy watchdogs in Canada and Australia said on Tuesday.

The two countries launched an investigation after the 2015 breach of Avid Life Media’s computer network, when hackers exposed the personal details of millions who signed up for the site with the slogan “Life is short. Have an affair.”

The investigation found the Toronto-based company had inadequate safeguards in place, including poor password management and a fabricated security trustmark on the website’s home page.

The company, recently rebranded as Ruby Corp, has entered into agreements with authorities in both countries to comply with investigators' recommendations, which are enforceable in court. The company is also the target of a US Federal Trade Commission (FTC) investigation, Avid Life Media executives told Reuters in July.

READ MORE

Deceptive advertising

The FTC’s consumer protection unit investigates cases of deceptive advertising, including instances where consumers are told their information is secure but it is handled sloppily. The FTC could not immediately be reached for comment. The investigation conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner found certain information security safeguards were insufficient or absent at the time of the hacking attack.

While the company did have some personal information protections in place, it fell short in implementing those measures, the report found. For instance, it said some passwords and encryption keys were stored as plain, identifiable text on the company’s systems.

False trustmark

At the time of the breach, Ashley Madison’s home page displayed various trustmarks suggesting a high level of security, including an icon labelled “trusted security award”, the report said. Company officials later admitted they had fabricated the trustmark, and removed it. The company also inappropriately retained some personal information after profiles had been deactivated or deleted by users and did not adequately ensure the accuracy of customer email addresses, the report said. This meant some people who had never signed up for Ashley Madison were included in databases published online after the hack, it said.

Among the investigators’ recommendations, Ruby will have until the end of the year to complete a review of the protections it has in place for the protection of personal information. The company said on Tuesday the review was a key priority and already under way. – (Reuters)