Watchdog slams Ashley Madison over privacy failures

Share

The company behind controversial infidelity dating site Ashley Madison – the victim of one of the worst corporate computer hacks in recent Canadian history – had "inadequate security safeguards and policies" and deceived users with a "phony trustmark icon" on its homepage, the country's privacy watchdog found in a year-long investigation made public Tuesday.

In a sweeping order, the Office of the Privacy Commissioner of Canada demanded the company build better internal security systems, offer users more control over their data in order to mitigate the risk of another data breach and also remove fake "security awards" the company had posted on its website. The order, which the company has agreed to, comes just a month after Ruby Corp., formerly known as Avid Life Media Inc., appointed a new chief executive officer and launched a marketing campaign aiming to broaden its appeal and win back trust.

It's also one of the first compliance orders the OPC has issued under new powers it obtained in 2015's amendments to Canada's Personal Information Protection and Electronic Documents Act.

Previously, the OPC issued only non-binding reports and recommendations after investigations, though failure to act on those recommendations was sometimes referred to federal courts for enforcement.

In July, 2015, a group of hackers calling itself the Impact Team published personal details about the more than 30 million Ashley Madison users who signed up presumably to have an affair, find a sugar daddy or live the life of a cougar (just some of the dating services offered by the 14-year-old company).

The hackers also released thousands of internal e-mails stolen from Toronto-based Avid Life Media, which painted a picture of a company that was reckless with its internal security controls, loose with user data, and also in the business of creating thousands of fake accounts for fictional women to boost revenue and engagement by luring male users.

Privacy Commissioner of Canada Daniel Therrien took the extraordinary step of initiating the investigation himself – in co-operation with the Office of the Australian Information Commissioner – after his office was contacted by several users who didn't want to become the face of a government investigation into the scandalous service.

"The number of individuals affected was large," Mr. Therrien said in an interview. "People may have reservations about the services offered by the site, but this case showed itself to be symptomatic of problems that might exist elsewhere. In 2016, many companies rely on the collection and handling of much personal information as part of their business model. We see too often they do not have a comprehensive security model. Many, many companies fall short. I can only hope this event will lead to companies paying attention to the risks."

Outlining the worrisome behaviour by the former Avid Life, the OPC report found its encryption keys – needed to protect user communications – were stored as plain text files on its computers, making them easy targets for thefts in the event of a security breach. It also had poor controls on remote access to its system – including storing critical shared-drive credentials in a Google document available to all users.

"That is the equivalent of locking the door and leaving the key in the door," Mr. Therrien said.

Eldon Sprickerhoff, founder and chief security strategist of eSentire, a digital security company based in Cambridge, Ont., called the incident "a cautionary tale."

"Had Ashley Madison gone through a thorough PCI (Payment Card Industry) audit, they would have failed based on the measures they had in place at the time of the hack," Mr. Sprickerhoff said. "This hasn't gone away. All of the data from the Ashley Madison hack is still widely available on the dark Web, which is a testament to the longevity and far-reaching impacts of a breach like this."

During the initial phase of the investigation, Avid Life admitted it was still using fabricated credentials that it posted on its website, which implied it had a third-party "trusted security award." Even before the compliance agreement was in place, the company removed those fake certificates.

"The company's use of a fictitious security trustmark meant individuals' consent was improperly obtained," Mr. Therrien wrote in the report.

"We hope that by openly speaking about the breach and our commitments to the OPC and the OAIC, we can help other organizations and business leaders who are facing increased cybersecurity challenges," Rob Segal, who became chief executive officer of Ruby in April, said in a statement released by the company. Representatives declined to comment further. "The company has co-operated with the commissioners throughout their investigation and will continue to share information with them as we honour the terms of the compliance agreement and enforceable undertaking."

In July, Ruby told Reuters that it expects to earn $80-million in revenue in 2016, down from $109-million in 2015. Once valued in the billion-dollar range by departed founder and former CEO Noel Biderman, the new executive team admits it is no longer worth that lofty figure. The company has even begun to play down the infidelity elements of its "discreet dating" services and recently began a new brand offensive centred around the slogan "Choose your moment."

The agreement is enforceable in Canada because if the terms are not met according to the opinion of the commissioner, it can refer the case to federal courts to carry out the orders, or seek other judicial relief. The commissioner can also request documents and information, as well as conduct visits to Ruby's head office with 10 days' notice, to ensure the orders are being complied with.

"We'll look at how they comply with this agreement. We're mindful they have used deceptive practices in the past," Mr. Therrien said.

Among the undertakings agreed to by Mr. Segal are commitments to ensure that it has built a proper security framework by May 31, 2017. It also has to stop by March 31, 2017 its practice of indefinitely storing personal user information, and also create a system to verify the accuracy of e-mail addresses used to sign up (or to remove the e-mail sign-up requirement).

That last provision is in response to the uncomfortable spot many people found themselves in when Ashley Madison's e-mails were published online."People who had never actually signed up for Ashley Madison [were] included in the databases published online following the breach," the report explains. "This issue raised particular concerns given that, for both users and non-users, any association with a site such as Ashley Madison could cause serious reputational harm."

Another condition of the agreement is to maintain its policy, enacted in September, 2015, following the breach, of deleting user information at no charge. Prior to the breach, Ashley Madison sites would charge users a fee to remove the person's data, though it was revealed that even if the company collected the fee, the data sometimes remained in the system.

News of the hack was front-page news in 2015, but it did not serve as a wake-up call to other businesses who experts say still haven't secured sensitive data in the ways the OPC is now demanding.

"It is a pandemic; breaches are the third certainty in life," says Adam Levin, chairman and founder of IDT911, an Arizona-based identity theft protection and data breach prevention company, as well as the author of the book Swiped. "You've got to take it more seriously. The personally identifying data of a company's employees and customers deserves the same respect and security as intellectual property and trade secrets. It's changing; we're getting better, but we're certainly not there yet."

Ruby and Ashley Madison still face class-action lawsuits in Canada and the United States, and the U.S. Federal Trade Commission has also opened an investigation into its use of so-called fembots, the fake profiles revealed by the hack that in some cases were still interacting with users well into 2015.