Cheating site had inadequate security, privacy officials say


Save Story
Leer en español

Estimated read time: 2-3 minutes

This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.

TORONTO (AP) — Privacy officials in Canada and Australia have found that cheating website Ashley Madison had inadequate security safeguards and policies despite marketing itself as a discreet and secure service

More than a year after a massive data breach at the website for married people seeking affairs that made international headlines, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner said Tuesday that their investigation into Ashley Madison had identified numerous violations of both countries' privacy laws.

The two agencies said in a report that Ashley Madison lacked a comprehensive privacy and security framework, even though the site's parent company, Avid Life Media Inc., knew how important that was, and even went so far as to place a fake security trust mark icon on its home page to reassure users.

Hackers originally breached Avid Life's systems in July 2015 and then posted the information online a month later after the company didn't comply with their demands to shut down Ashley Madison.

The company's use of a fictitious security trust mark meant individuals' consent was improperly obtained," Canada's privacy commissioner, Daniel Therrien, said in a statement.

Though the company did have some security measures in place, the agencies found several issues, including inadequate authentication processes for employees accessing the company's system remotely and poor key and password management practices.

In some instances, passwords were stored as plain, clearly identifiable text in emails and text files on the company's systems, the report said.

Last year's hack exposed the personal dealings and financial information of millions of purported clients.

Ashley Madison's parent company, now rebranded with a new name Ruby Corp., has said the cyberattack cost it about a quarter of its annual revenue. The company said Tuesday that it has co-operated with the investigation and entered into a compliance agreement that makes the report's recommendations enforceable in court, although it does not mean Ashley Madison admits to the findings. It vowed to take several steps to ensure better data security.

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Most recent Business stories

Related topics

Business
The Associated Press
    KSL.com Beyond Series

    KSL Weather Forecast

    KSL Weather Forecast
    Play button