Ashley Madison Security Investigation: “Unacceptable shortcomings” Report Finds

Privacy watchdog investigating the now infamous Ashley Madison data hack of July 2015 reports that the website used inadequate security systems and conned users into thinking it was more secure than it actually was.

The report released this week stated that Avid Life Media, the Canadian based owners of the Ashley Madison website had violated privacy laws due to the lax way it stored and used the data that users voluntarily gave the company when they signed up.

The joint investigation by both the Australian Privacy Commissioner and the Privacy Commissioner of Canada is scathing of the way the Ashley Madison website administered its privacy and security practices.

The report noted in particular that a large part of the Ashley Madison IT team’s efforts to monitor its own security were “focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data.”

The highly critical report also found that website owner Avid Life Media did not have “appropriate safeguards, including documented information security policies or practices, an explicit risk management process, and training for staff about their privacy and security obligations.”

Daniel Therrien, Canada’s privacy commissioner, said in a statement:

“Privacy breaches are a core risk for any organisation with a business model based on the collection and use of personal information… Privacy breaches are a core risk for any organisation with a business model based on the collection and use of personal information…Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable.”

The report also found that poor habits such as inadequate authentication processes and sub-par key and password management practices were commonplace at Ashley Madison.

However, perhaps the most controversial finding of the report was the fact that the affair specialist website had actually retained the personal information of users who had paid an extra fee to Avid Life Media to delete all their personal information.

Avid Life Media has said it will abide by the report’s findings to improve the way it handles data.