OTTAWA (Reuters) - The parent company of infidelity dating website Ashley Madison was responsible for numerous violations of privacy laws at the time of a massive release of customer data in a cyber attack last year, privacy watchdogs in Canada and Australia said on Tuesday.
The two countries launched an investigation after the 2015 breach of Avid Life Media Inc’s computer network, when hackers exposed the personal details of millions who signed up for the site with the slogan “Life is short. Have an affair.”
The probe found the Toronto-based company had inadequate safeguards in place, including poor password management and a fabricated security trustmark on the website’s home page.
The company, recently rebranded as Ruby Corp, has entered into agreements with authorities in both countries to comply with investigators’ recommendations, which are enforceable in court.
The company is also the target of a U.S. Federal Trade Commission investigation, Avid Life Media executives told Reuters in July. [nL1N19R1MA]
The FTC’s consumer protection unit investigates cases of deceptive advertising, including instances when consumers are told that their information is secure but then it is handled sloppily.
The FTC could not immediately be reached for comment.
The investigation conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner found that certain information security safeguards were insufficient or absent at the time of the hacking attack.
While the company did have some personal information protections in place, it fell short in implementing those measures, the report found. For instance, it said some passwords and encryption keys were stored as plain, identifiable text on the company’s systems.
At the time of the breach, Ashley Madison’s home page displayed various trustmarks suggesting a high level of security, including an icon labeled “trusted security award,” the report said. Company officials later admitted they had fabricated the trustmark and removed it.
The company also inappropriately retained some personal information after profiles had been deactivated or deleted by users and did not adequately ensure the accuracy of customer email addresses, the report said. This meant that some people who had never signed up for Ashley Madison were included in databases published online after the hack, it said.
Among the investigators’ recommendations, Ruby will have until the end of the year to complete a review of the protections it has in place for the protection of personal information. The company said on Tuesday the review was a key priority and already underway.
Reporting by Leah Schnurr; Editing by Tom Brown