Ashley Madison failed to deliver security measures on user details and featured a phoney security certification on its homepage.
An investigation into the dating website has found that it had a fabricated security trustmark and its parent Avid Life Media (ALM) also had inadequate security safeguards and policies. As a result, privacy laws in Canada and Australia were violated, whose commissioners have issued a number of recommendations aimed at bringing the company into compliance with privacy laws.
The investigation was conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner, and examined compliance with both the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law and Australia’s Privacy Act.
It found that there were inadequate authentication processes for employees accessing the company’s system remotely, that encryption keys were stored as plain, clearly identifiable text and the ‘shared secret’ for its remote access server was available on the ALM Google drive; meaning anyone with access to any ALM employee’s drive on any computer could have potentially discovered it. Also, instances of storage of passwords as plain, clearly identifiable text in emails and text files were found on the company’s systems.
The company was also “inappropriately” retaining some personal information after profiles had been deactivated or deleted by users, the investigation found, while the company also failed to adequately ensure the accuracy of customer email addresses it held, which resulted in the email addresses of people who had never actually signed up for Ashley Madison being included in the databases published online following the breach.
The trustmark suggested that it had won a “trusted security award”, but ALM officials later admitted the trustmark was their own fabrication and removed it.
Daniel Therrien, Canadian privacy commissioner, said that the company’s use of a fictitious security trustmark meant individuals’ consent “was improperly obtained”.
“Where data is highly sensitive and attractive to criminals, the risk is even greater,” he said. “Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.”
Security consultant Dr Jessica Barker told Infosecurity in an email that the use of “fake icons”, which may encourage people to think a site is safe, was concerning.
She said: “Many people don't know a great deal about internet security or the legal requirements, and how to check the extent to which an organization takes cybersecurity seriously, and will put appropriate measures in place to safeguard personal and financial information."
“Although my research suggests that people are worried about cybersecurity, many people are also very trusting of websites and on seeing icons which suggest a site is safe they will, quite understandably, take that at face-value.”
Jon Christiansen, senior security consultant at Context Information Security, said that putting up fake icons to proclaim security levels that the company doesn’t possess is nothing new, as given the cost of the certification process, the low likelihood of passing first time and the seemingly limited consequences if discovered, it isn’t hard to see why businesses think they can just take the shortcut of copying the icon.
He told Infosecurity: “As there is no way to verify the legitimacy of it, normal users have no choice but to trust it. Another area where it is used is in phishing campaigns. When people are tricked into visiting a malicious website, their overall suspicion level can be lowered by plastering the site with icons showing PCI DSS compliance logos, the green SSL padlock icon or similar. People have come to expect these from the genuine sites that they visit.”
The UK Information Commissioner’s Office (ICO) announced in 2013 that it had written to eHarmony, match.com, Cupid and Global Personals and the industry trade body, the Association of British Introduction Agencies, over concerns about handling personal data.
In a statement emailed to Infosecurity, an ICO spokesperson said: “We will continue to work with online dating companies, including the Online Dating Association trade body, to ensure continued compliance by the sector.”
Barker added: “Although many sites, especially dating sites, can hold very personal and sensitive information on individuals, the penalties for a breach of such information have not tended to be particularly harsh. Reputational damage is the biggest concern for most organizations in relation to a data breach or cyber-attack. This may change to some extent under GDPR, with the potential for much harsher penalties."
“However, people can also have an impact by 'voting with their feet' and demanding that companies take security and privacy seriously. If a breach doesn't impact an organization's bottom line then unfortunately, many organizations will interpret that as meaning it's not a concern to their customers and so not something they need to prioritize.”
Christiansen said: “It isn’t just dating websites that need more stringent tests, though their access to personal info is of course greater than many sites. It should be a broader process, because if the icons are to mean anything at all, the issuers need to have a better way of checking if a website is – or isn’t – part of their list of compliant sites. This could potentially be implemented via a ‘Check a site’ feature on their website that people can use to verify sites before using them.”
ALM cooperated with the investigation and agreed to demonstrate its commitment to addressing privacy concerns by entering into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court. In July ALM announced that it was rebranding to be called Ruby Life.