Watchdog Says AshleyMadison Security Protocols Violated Protection Laws

The Office of the Privacy Commissioner of Canada said Tuesday that the Canada-based online dating and social networking service Ashely Madison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs.

In a report Tuesday, the security watchdog  says the Toronto-based company disregarded various privacy laws in Canada and abroad in the time before a huge data breach uncovered classified information from their customers to hackers. The hack stole correspondence, identifying details and even credit card information from a large number of the site’s users. At the time of the break in July 2015, AshleyMadison claimed to have 36 million users and took in more than $100 million in yearly income.

The subsequent scandal cost the company around a fourth of its yearly incomes from incensed customers who demanded refunds and cancelled their accounts.

Working with a comparable office in Australia, the privacy group says the company knew that its security protocols were lacking, however, didn’t do what’s needed to prepare for being hacked. The company even enhanced its site with the logo of a “trusted security award” a claim the company admits is fabricated.

The report found, poor habits, for example, insufficient authentication processes and sub-par key and password management practices were widespread at the company. A great part of the company’s endeavors to screen its own particular security were “focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data,” the report found.

“Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable,” privacy commissioner Daniel Therrien said in a statement. “This is an important lesson all organizations can draw from the investigation.”

The company also inappropriately retained some personal information after profiles had been deactivated or deleted by users and did not adequately ensure the accuracy of customer email addresses, the report said. This meant that some people who had never signed up for AshleyMadison were included in databases published online after the hack, it said.

“The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term,” company CEO Rob Segal said in a statement.

The company co-operated with the privacy watchdog’s investigation and has agreed to a compliance agreement. That means if it is found later to have ignored any of the report’s recommendations, it could be held liable in court.