News & Analysis

Findings released on joint investigation into data breach of cheating website Ashley Madison

- August 24, 2016 3 MIN READ
Ashley Madison

A report on the data breach of cheating website Ashley Madison has today been released by the Australian Privacy Commissioner Timothy Pilgrim and the Privacy Commissioner of Canada (OPC), Daniel Therrien. The joint investigation of the website follows a data breach, which affected approximately 36 million Ashley Madison user accounts.

In July last year, a person or group known as ‘The Impact Team’ hacked into Ashley Madison and threatened to expose the personal information of user account unless the site was shut down. The demand was not agreed to and as a result the private details of close to 36 million websites users was made public.

Among the data leaked were people’s real names, credit card details, street addresses and even phone numbers of senior executives at Ashley Madison. Among the list of breaches included politicians, priests, military members, civil servants and of course celebrities. One of the first high profile celebrities to be be named after the leak included former ‘19 Kids and Counting’ star Josh Duggar and also Florida State Attorney Jeff Ashton.

Ashley Madison was founded in 2008 as a dating site for married people. Its controversial slogan, ‘Life is short. Have an affair,’ was changed to ‘Find your Moment!’ in July this year as part of the company’s rebranding. To save face after losing almost a quarter of its annual revenue following the data breach the Toronto-based company also replaced founder Noel Biderman. who left in August.

The two commissioner offices have been highly critical of the website’s personal data security practices and have included in their recommendations court-enforceable commitments by Ashley Madison’s parent company, Avid Life Media Inc [ALM], which has recently been rebranded as ‘Ruby Corp.’

In August 2015, both commissioners opened a joint investigation into the breach, which was the first time the Australian and Canadian Commissioners have jointly enforced privacy protections.

“The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information,” said Pilgrim.

“This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security. The report offers important lessons to any businesses relying on personal information as part of their business model.”

The report also identifies numerous actions and improvements that ALM will need to take in order to address the issues identified throughout the investigation process. The investigation considered ALM’s handling practice which included, the of retaining personal information of users after profiles have been deactivated, charging users to ‘fully delete’ their profiles, not confirming the accuracy of email addresses before collecting or using them and also looking into the company’s transparency with users about its handling of personal information.

In response to these findings, ALM has offered binding commitments to each commissioner, which are court enforceable to improve its personal information practices and governance. This result will provide closure on one of the world’s most widely reported data breaches.

“Privacy and data are global challenges and international cooperation like this will become a key tool for the future of privacy enforcement,” said Pilgrim. “Certainly, my office will always look to pursue Australians’ privacy rights, no matter where that leads.”

The Pilgrim also noted that, while providing answers for customers affected by the August 2015 breach, the report also highlights an important lesson for all users of online services.

“While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best run companies,” he said.

“The lesson for consumers is to make informed choices about providing personal information and to take privacy into their own hands. Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is ‘breach-proof.’”

For more information on the findings the complete report can be found here.

Image: Ashley Madison website. Source: hackmageddon.com