A joint investigation by Australian and Canadian authorities into the Ashley Madison data breach has released findings highly critical of the extramarital affairs website’s security practices.Avid Life Media (ALM) was the target of a data breach last year, which saw the details of approximately 36 million Ashley Madison user accounts accessed.
Hackers published users’ details online, with the leaked data including user names, emails and addresses.
The investigation, opened in August last year, was conducted by the Australian privacy commissioner Timothy Pilgrim and the privacy commissioner of Canada Daniel Therrien.
It found that ALM (recently rebranded Ruby Corp) “did not have appropriate safeguards in place considering the sensitivity of the personal information” under Canadian legislation, and had not taken “reasonable steps in the circumstances to protect the personal information it held under the Australian Privacy Act”.
A “lack of an adequate framework failed to prevent the multiple security weaknesses”, with the investigation finding this “is an unacceptable shortcoming for an organisation that holds sensitive personal information or a significant amount of personal information”.
ALM has offered court-enforceable binding commitments to each commissioner to improve its personal information practices and governance.
“The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk-management process in place to protect personal information,” Pilgrim commented.
“This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security.”
Pilgrim noted that consumers should also be proactive when it comes to privacy.
“While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best-run companies,” he commented.
“The lesson for consumers is to make informed choices about providing personal information and to take privacy into their own hands.
“Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is ‘breach-proof’.”