The Australian Privacy Commissioner, Timothy Pilgrim, and the Privacy Commissioner of Canada (OPC), Daniel Therrien, have finished a joint investigation into the data breach of affair facilitating site Ashley Madison — and the results are damning for the dating website's privacy and personal data security practices.
The Office of the Australian Information Commissioner today released a statement detailing the findings of the investigation, including "court-enforceable commitments" by Ashley Madison's parent company, Avid Life Media Inc, which was recently rebranded as "Ruby Corp".
"The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information," said Commissioner Pilgrim.
"This incident shows how that approach goes beyond 'IT issues' and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security. The report offers important lessons to any businesses relying on personal information as part of their business model."
On 15 July 2015, a group (or individual — we still don't know) called "The Impact Team" announced that it had hacked ALM. The Impact Team threatened to expose the personal information of Ashley Madison users unless ALM shut down Ashley Madison and another of its websites, Established Men which is targeted at mature men seeking younger women. ALM did not agree to this demand.
On 20 July 2015, following media reports and after an invitation from the Office of the Privacy Commissioner of Canada (OPC), ALM voluntarily reported details of the breach to the OPC. Subsequently, on 18 and 20 August 2015, The Impact Team published information it claimed to have stolen from ALM, including the details of approximately 36 million Ashley Madison user accounts.
Given the scale of the data breach, the sensitivity of the information involved, the impact on affected individuals, and the international nature of ALM's business, the Office of the Australian Information Commissioner (OAIC) and the OPC jointly investigated ALM's privacy practices at the time of the data breach.
The investigation initially examined the circumstances of the data breach and how it had occurred. It then considered ALM's information handling practices that may have affected the likelihood or the impact of the data breach.
Although ALM's security was compromised by The Impact Team, a security compromise does not necessarily point to a contravention of Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) or the Australian Privacy Principles (APPs) in the Australian Privacy Act, the report has concluded. Whether a contravention occurred depends on whether ALM had, at the time of the data breach implemented safeguards appropriate to the sensitivity of the information it held and taken such steps as were reasonable in the circumstances to protect the personal information it held.
The investigation also considered ALM's practices including of retaining personal information of users after profiles had been deactivated or deleted by users, and when profiles were inactive, charging users to "fully delete" their profiles, not confirming the accuracy of user email addresses before collecting or using them and transparency with users about its personal information handling practices.
The investigation identified a number of contraventions of the APPs and PIPEDA.
Although ALM had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security.
"Certain security safeguards in some areas were insufficient or absent at the time of the data breach," the report reads, without going into detail.
"The most broadly applicable lesson is that it is crucial for organisations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external)," the report reads.
"This is especially the case where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected".
The advice given? Have asecurity policy, an explicit risk management process that addresses information security matters, drawing on adequate expertise and adequate privacy and security training for all staff.
"It is not sufficient for an organization such as ALM, or any organisation that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework".
But while there are steps you can take to protect yourself, all individuals have the right to expect that their personal information will be managed in accordance with the Australian Privacy Act 1988.