One year after the Ashley Madison data breach, during which around 36 million user accounts were published online, the fuss hasn’t died down. A recent joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Australian Information Commissioner (OAIC) discovered that the Toronto-based Avid Life Media Inc. (ALM) – the owner of the infidelity website – was violating numerous privacy laws at the time of the data breach.
Lack of comprehensive privacy and security framework
Although Ashley Madison’s motto was a “100% discreet service”, the joint investigation found several flaws, and inadequate safeguards and policies in breach of Canada’s Personal Information Protection and Electronic Document Act (PIPEDA) and Australia’s Privacy Act:
- Inadequate authentication processes for employees working remotely;
- Encryption keys stored as plaintext on ALM systems, freely accessible by all employees;
- Poor key and password management practices;
- Inappropriate retention of personal information after user profiles had been deactivated.
Furthermore, at the time of the breach, the company homepage showed a bogus trustmark that misled users about the company’s security protections. “The company’s use of a fictitious security trustmark meant individuals’ consent was improperly obtained”, said Privacy Commissioner of Canada Daniel Therrien.
A lesson all organizations should learn
Information security should be the number one priority for all organizations that handle and store sensitive information. “Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. […] Security measures should be documented in writing and include technological, physical and organizational safeguards.” said Commissioner Therrien. “Businesses must also assess risks, align their policies to mitigate those risks and train employees to ensure that policies are actually implemented and followed.”
ISO 27001, the international information security standard
All companies handling and storing sensitive information should have a systematic approach to manage and secure such high-value data. A good approach is to comply with ISO/IEC 27001. This international standard provides a framework for implementing an information security management system (ISMS) that allows organizations to manage the confidentiality, integrity, and availability of their information assets.