"Life is short. Have a dedicated risk management process in place to protect personal information."
That's not a sexy tagline for a dating website that encouraged members to conduct extra-marital affairs. But it's one that Ashley Madison might be wishing it adopted after it was hacked last year.
Now, the Canadian company behind Ashley Madison, Avid Life Media (ALM), has been the subject of a scathing report from the Privacy Commissioner of Canada and the Australian Privacy Commissioner, criticising ALM's actions following the massive data breach. (In July this year, ALM rebranded as Ruby, though the report refers to the company by its previous name).
Ashley Madison, which goaded more prudish corners of the internet with the tagline "Life is short. Have an affair," was hacked in July 2015 by a group calling itself The Impact Team. The hackers warned ALM that it would leak personal details of 36 million members unless ALM changed its policies -- specifically around letting users permanently delete their accounts.
ALM declined, the hackers leaked the data and scandal ensued as users panicked about their private lives and the internet raked through the dirty laundry.
Now, the joint Australian-Canadian investigation into the hack has found ALM "fell well short" of its responsibility to customers.
The report found that ALM "did not have appropriate safeguards in place considering the sensitivity of the personal information" it held. This included a lack of "documented information security policies... [and] an explicit risk management process" and that it failed to adequately train staff at all levels on their security and privacy obligations.
The Privacy Commissioners also slammed ALM for its practice of retaining customer information, even after users had deleted or deactivated their accounts, some having paid for the privilege of doing so.
"Though ALM had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced," the report found.
The report concluded that this was "an unacceptable shortcoming" considering Ashley Madison's high-profile as an adult dating site trading in sensitive information.
ALM has agreed to a number of remedies, including the promise to conduct a comprehensive review of security, to stop indefinite retention of information from deleted profiles and to provide a "no-cost option" for users who want to withdraw consent for their information being held by the site.
The CEO of Ruby (formerly ALM) who took the reins in April this year, Rob Segal, says the company voluntarily entered the new compliance arrangements.
"The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses," he said in a statement on the Ashley Madison site. "These investments are the cornerstone of rebuilding consumer trust over the long-term."