Ashley Madison’s parent company deceived its customers by touting the infidelity website as being highly secure prior to the 2015 data breach that allowed the sensitive details of millions of its users to be leaked online, Canadian and Australian authorities said this week.
That finding is among those included in a report released Tuesday upon completion of a joint investigation launched by privacy officials in Ottawa and Sydney last year after Ashley Madison and its parent company, formerly Avid Life Media, saw its source code and internal emails dumped online along with the account details concerning roughly 36 million of its websites’ users.
The report accuses the company of committing several privacy-law violations in both Canada and Australia including those related to false promises of security made by the Toronto-based company to its users prior to the data breach — one of the largest to ever unfold, according to police in Ontario’s capital.
Avid Life Media, “did not have appropriate safeguards in place considering the sensitivity of the personal information” it hosted, and details about the security practices purportedly in place were “either absent, difficult to understand or deceptive,” the investigators said in the report.
In addition to failing to implement adequate security safeguards, the company also embedded “phony” icons on its websites containing phrases such as “trusted security award,” the report acknowledges. That award, according to investigators, “was simply their own fabrication rather than a validated designation by any third party.”
“The company’s use of a fictitious security trustmark meant individuals’ consent was improperly obtained,” Canada’s privacy commissioner, Daniel Therrien, said in a statement.
“Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation,” Mr. Therrien added.
Avid Life Media re-branded as Ruby Corp. earlier this year, and its newest CEO, Rob Segal, said the company cooperated with investigators throughout the international probe.
“The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term,” Mr. Segal said in a statement.
Despite finding the company at fault for multiple privacy-law violations, Ruby Corp. will avoid repercussions in Canada and Australia for now as a result of voluntarily signing compliance agreements with privacy authorities, investigators said.
“Canada’s Commissioner does not have order-making powers and cannot impose fines or penalties,” Office of the Privacy Commissioner of Canada spokesperson Tobi Cohen told Motherboard. “If the company falls short of its commitments under the compliance agreement, we will take the matter to court. As you know, the Federal Court does have order-making power and the authority to award damages.”
Individuals known only as The Impact Team have been attributed with breaching Avid’s computers last year and subsequently leaking gigabytes’ worth of internal data stolen from its servers. No arrests have been made in connection with the attack.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.