You blew it, Ashley Madison: Dating site slammed for security 'shortcomings'
An investigation into the Ashley Madison hack finds that the site's owners "fell well short" of protecting customer privacy, but the 36 million members of the dating site probably already knew that.
Claire ReillyFormer Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
ExpertiseSpace, Futurism, Science and Sci-Tech, Robotics, Tech CultureCredentials
Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Ashley Madison, which goaded more prudish corners of the internet with the tagline "Life is short. Have an affair," was hacked in July 2015 by a group calling itself The Impact Team. The hackers warned ALM that it would leak personal details of 36 million members unless ALM changed its policies -- specifically around letting users permanently delete their accounts.
Now, the joint Australian-Canadian investigation into the hack has found ALM "fell well short" of its responsibility to customers.
The report found that ALM "did not have appropriate safeguards in place considering the sensitivity of the personal information" it held. This included a lack of "documented information security policies... [and] an explicit risk management process" and that it failed to adequately train staff at all levels on their security and privacy obligations.
The Privacy Commissioners also slammed ALM for its practice of retaining customer information, even after users had deleted or deactivated their accounts, some having paid for the privilege of doing so.
"Though ALM had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced," the report found.
The report concluded that this was "an unacceptable shortcoming" considering Ashley Madison's high-profile as an adult dating site trading in sensitive information.
ALM has agreed to a number of remedies, including the promise to conduct a comprehensive review of security, to stop indefinite retention of information from deleted profiles and to provide a "no-cost option" for users who want to withdraw consent for their information being held by the site.
The CEO of Ruby (formerly ALM) who took the reins in April this year, Rob Segal, says the company voluntarily entered the new compliance arrangements.
"The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses," he said in a statement on the Ashley Madison site. "These investments are the cornerstone of rebuilding consumer trust over the long-term."