The answer is, no one really knows. Ashley Madison, a subsidiary company of Ruby Corporation, formally Avid Life Media (ALM), would like its 49,285,000 members to believe their personal information is secure, but the truth is the information may not be secure at all. In spite of the promises Ashley Madison made to their subscribers sighting their services as being “anonymous” and “100% Discrete,” the Ashley Madison subscribers may be as vulnerable as they were during the now famous data breech in 2015!
A group identifying itself as “The Impact Team” hacked into ALM servers between July 15 and August 20, 2015 releasing the private data of approximately 36 million user accounts online. The searchable information contained profile details such as user names, addresses, passwords, phone numbers, gender, height weight, ethnicity, body type, and experiences sought during the affairs, as well as account information such as, personal email addresses, passwords, security questions, billing address and the last four digits of the credit card numbers used to open the account. In addition to the many subscriber’s personal data, the CEO was also affected having his private email messages made publicly searchable.
Sighting numerous violations of privacy laws an investigation was conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner focusing on four key issues: Information security; retention and deletion of user accounts; accuracy of email addresses and transparency with users.
Even in the wake of irreparable damage of Ashley Madison’s famous security breach where some people lost jobs and took their lives, ALM acknowledged the Commissioner’s findings but did not admit the truth of the findings, claims or arguments set out in the Report of Findings.
If these findings are not rectified by the timeline stated within the agreement the OPC may then apply to Federal Court for an order requiring ALM to comply with the Agreement or such other relief as may be available in law, in accordance with s. 17.2(2) of the Act. It’s unknown how long the application process itself could take, let alone the litigation process while subscribers remain vulnerable.
ALM had remarkably mediocre security practices. The OPC found definite gaps in its critical security coverage, including a failure to implement commonly used detective countermeasures, such as intrusion detection systems or prevention systems that could facilitate detection of attacks or identify intrusion (ALM failed to monitor unusual logins). There were instances of unauthorized access to ALM’s systems, using valid security credentials, weeks before the actual data disclosure, which gave further credence to the finding that ALM was not adequately monitoring its systems for intrusion. ALM had no documented risk management framework guiding how it could determine what security measures would be appropriate for the privacy risks it faced to ensure its security arrangements were adequate for its business purposes, resulting in holes. As the OPC’s own press release noted:
- There were inadequate authentication processes for employees accessing the company’s system remotely as ALM failed to use multi-factor authentication practices.
- ALM’s network protections included encryption on all web communications between the company and its users; however, encryption keys were stored as plain, clearly identifiable text on ALM systems. That left information encrypted using those keys at risk of unauthorized disclosure.
- ALM had poor key and password management practices. For example, the company’s “shared secret” for its remote access server was available on the ALM Google drive — meaning anyone with access to any ALM employee’s drive on any computer, anywhere, could have potentially discovered it.
- Instances of storage of passwords as plain, clearly identifiable text in e-mails and text files were also found on the company’s systems.
ALM did not have documented information security policies or practices for managing network permissions, and their director of information security had only been working for the company since early 2015, and had not set in place written security measures at the time of the hack. In fact, 75 % of Ashley Madison’s staff had not been trained of even general privacy and security.
The OPC found that while ALM did provide some information about its security safeguards and account closure options, critical elements of its practices that would have been important to prospective users’ decision to join Ashley Madison were either absent, difficult to understand or deceptive.
The OPC found that some individuals may not have chosen to share their personal information with ALM had they not been misled at registration by fake security trustmarks and if they had been aware their information would be retained indefinitely unless they paid a fee for deletion. The posting of such fake security emblems were found to invalidate user consent upon user signup. In fact, unless a user chooses a full deletion, their profile would be retained by ALM indefinitely. Moreover, users were not informed until after they had paid for the full delete that their information would be retained for an additional 12 months. So even if you paid for a full deletion, guess what? It may still be on the server for a full year!
ALM / Ruby Corp. and the OPC have entered into a compliance agreement whereby action will be taken in a number of areas in accordance with timelines that are not scheduled to physically begin until May 31, 2017.
“Life is short. Have an affair®.” A slogan made famous by the Ashley Madison website now gives way to the latest ad reading, “45 Million Members Can’t Be Wrong”. Perhaps it should say ‘45 Million Members May Be Uninformed.’
Read the OPC’s own press release
Read the ALM / Ruby Corp. and the OPC compliance agreement