Privacy watchdogs from Australia and Canada have accused cheater dating site Ashley Madison of misleading users over the security of the site.
Ashley Madison’s owners, Canadian firm Avid Life Media (ALM), stands accused of making bogus security claims following a joint investigation by Australia’s and Canada’s privacy commissioners in to the 2015 breach, which exposed sensitive details of 37 million users.
The commissioners called out ALM, now known as Ruby Corp, for placing security awards on the site that suggested a high level of security, which it did not provide, and which may have encouraged users to trust the service. The various labels included claims such as “trusted security award”, “SSL secure”, and “100% discreet service”.
“On their face, these statements and trust-marks appear to convey a general impression to individuals considering the use of ALM’s services that the site held a high standard of security and discretion and that individuals could rely on these assurances. As such, the trust-mark and the level of security it represented, could have been material to their decision whether or not to use the site,” the commissioners wrote.
They acknowledged that ALM had some measures in place to protect personal information, however found that it lacked a framework to assess the adequacy of its information security.
However, ALM’s chief failings centred on a lack of documentation for security procedures, processes and training, while technical aspects, from encrypting passwords to secure connections, were adequately covered, according to the report.
The commissioners accepted the explanation that the attacker, a group known as the Impact Team, had compromised an employee’s credentials and used them to access the firm’s corporate network, from where user details were stolen.
An enforceable undertaking from the Australian Information Commission demands ALM ditch elements of its controversial account deletion function, which formerly required users to pay in order to guarantee account details were removed.
ALM has until 31 March, 2107 to stop indefinitely storing personal details of users who’ve cancelled their accounts. ALM could face light penalties for non-compliance from the Australian watchdog, which has the power to seek a fine of up to $1.7m through civil litigation.
The company has some leeway to determine what is an appropriate period following deactivation of an account, however it must inform current and future users of the policy and then stick to it from that date onwards.
Importantly, the order aims to prevent ALM from charging users to have their account details deleted, though the order does not extend to information previously shared with prospective dates.
“ALM undertakes to continue to provide a no-cost option for individuals to withdraw their consent for ALM to hold their account profile information. This need not include all of the premium deletion services currently offered as part of the full delete service, specifically, it need not include the deletion of personal information sent to other ALM users from those users’ in-boxes,” the order from Australia’s information commissioner states.
Ruby Corp says it will comply with these terms, promising not to hold user information beyond the agreed retention period. It has not yet proposed a retention period, however it has committed to telling users when it does update its policy.
“The company will continue to provide a no-cost option for individuals to request deletion of their account profile information,” Ruby Corp said in a statement, adding that it had offered a free account deletion function since September 2015.