The parent company of infidelity dating website Ashley Madison had "inadequate" security systems and used fake security trustmark icons to reassure users of its safety, according to a joint investigation by Canadian and Australian privacy watchdogs. Conducted by the Office of the Privacy Commissioner of Canada and the Office of the Australia Information Commissioner, the probe was launched following the massive breach of Toronto-based company Avid Life Media's (ALM) computer network in July 2015 that saw the personal details of millions of users published online, including credit card details, home addresses and email accounts.
Released this week, the "highly critical" report revealed that ALM violated multiple privacy laws in both countries due to the poor way it handled users' data after they signed up for the service. Despite billing itself as a "100% discreet service", the investigation found that the website lacked a comprehensive privacy and security framework.
"Privacy breaches are a core risk for any organisation with a business model based on the collection and use of personal information," Canada's privacy commissioner Daniel Therrien said in a statement. "Where data is highly sensitive and attractive to criminals, the risk is even greater.
"Handling huge amounts of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organisations can draw from the investigation."
Last August, hackers calling themselves 'The Impact Team' broke into the company's systems and leaked a trove of sensitive user data of some 32 million users - a widely publicised breach that cost the company over a quarter of its revenue.
Although the report notes that the company, which was recently rebranded as Ruby Corp, did have some personal information security protections in place, it fell short when it came to implementing those security measures. The investigation also found some of the company's information security safeguards to be "insufficient or absent", including poor key and password management practices.
"[Avid Life Media] did have some detection and monitoring systems in place, but these were focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data," the report read.
Some of the failings listed in the report included passwords being stored as plain, clear identifiable text in emails and text files on the company's systems that were also passed around within the company regularly. The company's VPN 'shared secret' password, for instance, was stored on Google Drive, potentially allowing anyone accessing an employee's machine to obtain and gain unauthorised access.
"In addition, encryption keys were stored as plain, clearly identifiable text on ALM systems, potentially putting information encrypted using those keys at risk of unauthorized disclosure," the report reads. "Finally, a server was found with an SSH key that was not password protected. This key would enable an attacker to connect to other servers without having to provide a password", the report adds."
The report also notes that the company placed a fake 'trusted security award' icon on its homepage to make users feel safe on its site. Company officials later admitted that the trustmark was fabricated and eventually took it down."
The investigation found the service's account deletion process to be "deceptive" as well, saying users who opted for the full delete option were not informed that their personal information would be retained for another 12 months until after they paid for the full delete option. Personal information associated with 'inactive' profiles and accounts that were deactivated, but not fully deleted, were retained indefinitely.
The company also failed to properly make sure that the provided customer email addresses were accurate, meaning people who may have never signed up for the dating service were also included in the databases that were published online after the breach.
"The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information," said Australia's privacy commissioner Timothy Pilgrim.
The report included a series of recommendations for ALM including a review of its protection of personal information by the end of the year, stopping its practice of retaining information from deactivated accounts and training its staff on security procedures. The company will no longer be allowed to charge its users to delete their information either.
ALM has agreed to a compliance agreement, which means the company could be held liable in court if it chooses to ignore the report's recommendations.
The company is currently being investigated by the US Federal Trade Commission over its use of 'fembots' - fake profiles used to lure in and interact with users - on its websites.