The owners of hacked infidelity dating website Ashley Madison have agreed to court-enforceable improvements in how it handles personal information, as privacy watchdogs in two countries urge consumers to make better choices about providing personal details.
Almost a year on from the data breach that left more than 30 million user details exposed, the findings of a joint Australian and Canadian investigation into the data breach criticised the dating website's privacy and personal data security practices.
ALM, recently rebranded as 'Ruby Corp', was the target of an August 2015 data breach which involved information claimed to have been stolen from ALM, and included details of about 36 million Ashley Madison user accounts.
The lesson for consumers is to make informed choices about providing personal information and to take privacy into their own hands.
Australia's Privacy Commissioner, Timothy Pilgrim, and the Privacy Commissioner of Canada (OPC), Daniel Therrien, opened a joint investigation that same month.
"The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information," Commissioner Pilgrim said in a statement.
"This incident shows how that approach goes beyond 'IT issues' and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security. The report offers important lessons to any businesses relying on personal information as part of their business model."
... the Commissioners are of the view that ALM did not have appropriate safeguards in place considering the sensitivity of the personal information... nor did it take reasonable steps in the circumstances to protect the personal information it held under the Australian Privacy Act
The report identifies numerous actions and improvements that ALM will need to take to address the issues identified through the investigation process.
The report also highlights an important lesson for all users of online services, Pilgrim said.
"While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best run companies," he said.
... ALM had no clear way to assure itself that its information security risks were properly managed. This lack of an adequate framework failed to prevent the multiple security weaknesses
"The lesson for consumers is to make informed choices about providing personal information and to take privacy into their own hands. Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is 'breach-proof'."
ALM has offered binding commitments to each Commissioner, which are court enforceable, to improve its personal information practices and governance.
"The company has hired a security consultant to help improve its security practices," a spokesman for the office of the Canadian Privacy Commissioner is reported to have said.
In our view, it is not reasonable that personal information of users whose accounts are deactivated is required to be kept indefinitely
"[Ruby Corp.] has already taken steps to improve security practices, such as adopting multi-factor authentication for remote administrative access by employees to its network, and completing information security training of employees."
The cheating website remade itself as an "open minded dating service" earlier this year, and promised to no longer use automated programs, called bots, which masquerade as women on the hunt for men.