​Ashley Madison: a security cheat and not so discreet

Privacy watchdogs from Australia and Canada have accused cheater dating site Ashley Madison of misleading users over the security of the site.

Ashley Madison’s owners, Canadian firm Avid Life Media (ALM), stands accused of making bogus security claims following a joint investigation by Australia’s and Canada’s privacy commissioners in to the 2015 breach, which exposed sensitive details of 37 million users.

The commissioners called out ALM, now known as Ruby Corp, for placing security awards on the site that suggested a high level of security, which it did not provide, and which may have encouraged users to trust the service. The various labels included claims such as “trusted security award”, “SSL secure”, and “100% discreet service”.

“On their face, these statements and trust-marks appear to convey a general impression to individuals considering the use of ALM’s services that the site held a high standard of security and discretion and that individuals could rely on these assurances. As such, the trust-mark and the level of security it represented, could have been material to their decision whether or not to use the site,” the commissioners wrote.

They acknowledged that ALM had some measures in place to protect personal information, however found that it lacked a framework to assess the adequacy of its information security.

However, ALM’s chief failings centred on a lack of documentation for security procedures, processes and training, while technical aspects, from encrypting passwords to secure connections, were adequately covered, according to the report.

The commissioners accepted the explanation that the attacker, a group known as the Impact Team, had compromised an employee’s credentials and used them to access the firm’s corporate network, from where user details were stolen.

An enforceable undertaking from the Australian Information Commission demands ALM ditch elements of its controversial account deletion function, which formerly required users to pay in order to guarantee account details were removed.

ALM has until 31 March, 2107 to stop indefinitely storing personal details of users who’ve cancelled their accounts. ALM could face light penalties for non-compliance from the Australian watchdog, which has the power to seek a fine of up to $1.7m through civil litigation.

The company has some leeway to determine what is an appropriate period following deactivation of an account, however it must inform current and future users of the policy and then stick to it from that date onwards.

Importantly, the order aims to prevent ALM from charging users to have their account details deleted, though the order does not extend to information previously shared with prospective dates.

“ALM undertakes to continue to provide a no-cost option for individuals to withdraw their consent for ALM to hold their account profile information. This need not include all of the premium deletion services currently offered as part of the full delete service, specifically, it need not include the deletion of personal information sent to other ALM users from those users’ in-boxes,” the order from Australia’s information commissioner states.

Ruby Corp says it will comply with these terms, promising not to hold user information beyond the agreed retention period. It has not yet proposed a retention period, however it has committed to telling users when it does update its policy.

“The company will continue to provide a no-cost option for individuals to request deletion of their account profile information,” Ruby Corp said in a statement, adding that it had offered a free account deletion function since September 2015.

Join the CSO newsletter!

Error: Please check your email address.

Tags Ruby corpAshley Madison hackALMSSL Secureprivacy watchdogSSLsecurity cheatALM dataAshley Madisoncyber security

More about Avid

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts