Ashley Madison failed its cheaters, privacy commission report finds
Controversial ‘discreet affair’ website had inadequate protections before it was hacked, report says.
The controversial Ashley Madison ‘discreet affair’ website failed to provide adequate security protections before it was hacked and the personal information of 36 million users posted online, a joint investigation by Australia and Canada’s Privacy Commissioners has found.
Ashley Madison, a place for ‘married men and women’ to pursue affairs and cheat, was hacked last year by a group identifying itself as Impact Team, with personal details of approximately 36 million users stolen.
Both offices were scathing in their findings, declaring Ashley Madison’s Canada-based parent company ALM, recently rebranded as Ruby Corp, failed to provide appropriate training, policies, documentation, oversight and clear lines of authority for decisions about personal information security.
The investigation found the attackers’ initial path of intrusion involved the compromise and use of an employee’s valid account credentials.
The attacker then used those credentials to access ALM’s corporate network and compromise additional user accounts and systems. Over time the attacker accessed information to better understand the network topography, to escalate its access privileges, and to exfiltrate data submitted by ALM users on the Ashley Madison website, the report said.
“At the time of the breach, ALM did not have a documented risk management framework guiding how it determined what security measures would be appropriate to the risks it faced,” the report said.
Australian Privacy Commissioner Timothy Pilgrim said the report identifies numerous actions and improvements that ALM will need to take to address the issues identified through the investigation process, and that the company had offered court enforceable binding commitments to improve its personal information practices and governance.
“Privacy and data are global challenges and international co-operation like this will become a key tool for the future of privacy enforcement,” Mr Pilgrim said.
“Certainly, my office will always look to pursue Australians’ privacy rights, no matter where that leads.
“While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best run companies.”
The Impact Team last year posted a torrent file online that led to a searchable database allowing anyone — spouses or otherwise — to search for people by name or email address, which then returns information about sexual preference, contact details, body type, and fetishes.
The team also had a message for any victims of their attack.
“Find yourself in here?,” the group asked.
“It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
Is handing $3bn to NBN good value for money?
The reality is that the government-funded and owned NBN Co was never a good idea. It has been a commercial disaster.
Labor ‘on the wrong track with NBN plan’
One of the nation’s biggest broadband providers says Labor should be fixing areas where competition has broken down rather than building networks, as scores of Australians switch to satellite and 5G services.