In 2015 the infidelity site Ashley Madison was in the limelight when hackers stole their database with 37 million customers’ data and threatened to publish sensitive information – including sexual fantasies and names of well known people. The hackers finally put the breached data out on the web with disastrous consequences for the users of the site. One man committed suicide due to the revelations and many relationships and marriages were destroyed. Now, an investigation of Ashley Madison made jointly by the Canadian and Australian Privacy Commissioners has been released.
The report of the investigation brings about important insights into basic standards for a company’s handling of customer data and privacy. It points not only to technical safeguards, but more over looks at the way in which Ashley Madison have convinced customers about their data’s safety and confidentiality on the site, the transparency of their practices and their internal data handling processes. E.g. One key issue with Ashley Madison’s approach to their users’ privacy was that they had a number of trust marks and statements on their website’s front page that conveyed a general impression to users considering the use of the services that the site held a high standard of privacy and confidentiality. The investigation underlined that this could have been material to the users’ decision whether or not to use the site.
Another key issue was their practices regarding the retention of their users’ data. E.g. Ashley Madison keeps profile information related to user accounts which have been deactivated and profile information related to user accounts which have not been used for a prolonged period indefinitely. Following the data breach, there were also media reports that personal information of individuals who had paid Ashley Madison to delete their accounts was also included in the Ashley Madison user database that was published on the internet. In the report Ashley Madison clarifies that they delete the data of profiles that users have paid to have deleted within 48 hours so that users cannot see it, but the company retains the data for 12 months. But in the specific case of the breach due to an error, photos from deleted accounts had not actually been deleted after the 12 month period.
The main concern of the Privacy Commissioners’ investigation is that although Ashley Madison had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security. Several security safeguards were therefore insufficient or absent at the time of the data breach.
On a general note, the report concludes that it is not sufficient for an organization such as Ashley Madison, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework. E.g. they should have measures in place such as a security policy, an explicit risk management process that addresses information security matters, drawing on adequate expertise; and adequate privacy and security training for all staff.
See the full report from the investigation here