Dating website, Ashley Madison, was the target of a data breach as a result of inappropriate security safeguards, according to findings of a joint investigation by the Australian Privacy Commissioner, Timothy Pilgrim, and the Privacy Commissioner of Canada (OPC), Daniel Therrien.
The two offices have released joint findings that are highly critical of the dating website’s privacy and personal data security practices — and include court-enforceable commitments by Ashley Madison’s parent company, Avid Life Media Inc (ALM — recently rebranded as ‘Ruby Corp’).
In August 2015, ALM was the target of a data breach which involved information claimed to have been stolen from ALM, including the details of approximately 36 million Ashley Madison user accounts.
Commissioners Pilgrim and Therrien opened a joint investigation into the breach in August 2015.
According to the findings, ALM’s security framework lacked the following elements: documented information security policies or practices, as a cornerstone of fostering a privacy and security aware culture including appropriate training, resourcing and management focus; an explicit risk management process - including periodic and pro-active assessments of privacy threats, and evaluations of security practices to ensure ALM's security arrangements were, and remained, fit for purpose.
Findings also revealed ALM lacked adequate training to ensure all staff (including senior management) were aware of, and properly carried out, their privacy and security obligations appropriate to their role and the nature of ALM’s business.
It concluded the company did not take reasonable steps in the circumstances to protect the personal information it held under the Australian Privacy Act.
“The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information,” said Commissioner Pilgrim.
“This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security. The report offers important lessons to any businesses relying on personal information as part of their business model.”
Though ALM had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced, and absent an adequate and coherent information security governance framework that would ensure appropriate practices, systems and procedures are consistently understood and effectively implemented, the findings said.
As a result, ALM had no clear way to assure itself that its information security risks were properly managed. This lack of an adequate framework failed to prevent the multiple security weaknesses and is an unacceptable shortcoming for an organisation that holds sensitive personal information or a significant amount of personal information, as in the case of ALM, the findings said.
In addition to the lack of an adequate framework, the specific weaknesses (single factor authentication and poor key and password management practices) also individually and collectively constitute failures to take reasonable steps to implement appropriate security safeguards in the specific circumstances, given the volume and nature of the personal information held by ALM, the findings said.
Commissioner Pilgrim noted that the report identifies numerous actions and improvements that ALM will need to take to address the issues identified through the investigation process.
Some of the report recommendations include: conduct a comprehensive review of the protections it has in place to protect personal information; augment its information security framework to an appropriate level and implement that framework; adequately document that framework and its information security processes generally.
It also suggested ALM take steps to ensure that staff are aware of and follow security procedures, including developing an appropriate training program and delivering it to all staff and contractors with network access.
In response, ALM has offered binding commitments to each Commissioner, which are court enforceable, to improve its personal information practices and governance.
This result provides closure on one of the world’s most widely reported data breaches, and is the first time the Australian and Canadian Commissioners have jointly enforced privacy protections.
“Privacy and data are global challenges and international cooperation like this will become a key tool for the future of privacy enforcement,” said Commissioner Pilgrim. “Certainly, my office will always look to pursue Australians’ privacy rights, no matter where that leads.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.