UPDATED 22:59 EDT / AUGUST 23 2016

NEWS

Ashley Madison slapped down by Canadian, Australian regulators for lax security following 2015 hack

Controversial cheating website Ashley Madison has been slapped down by regulators in Canada and Australia for poor security following its now infamous hacking in 2015.

A joint investigation by the offices of the Australian and Canadian privacy commissioners found that that the service had inadequate safeguards in place, including poor password management and a fabricated security trustmark on the website’s home page.

The report detailed an appalling lack of security that included, among other things, the company storing its VPN password on Google Drive, making it extremely easy to access via any employee’s machine. Passwords were stored as plain text on the company’s servers including in emails (they actually sent out emails with passwords in them) and text files.

Encryption keys were also stored in plain text, along with a server being found with an SSH key that was not password protected, allowing an attacker to access the server without even needing a password to begin with.

Deception

On the privacy and advertised security front, the report found that the trustmarks on the front page of the site, including one that had an icon that was labeled “trusted security award,” suggesting that the site was secure, were fabricated by the company itself.

As previously discovered following the hack, the report confirmed that Ashley Madison inappropriately retained personal information of users who had paid to delete their accounts, but perhaps more bizarrely that the databases released in the hack included information of people who have never signed up for the service at all.

“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” Canada’s privacy commissioner Daniel Therrien said in a statement. “Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable.”

The report made a number of recommendations which Ruby Corp., the company formerly known as Avid Life Media and owners on Ashley Madison, agreed to implement, including reviewing protections of personal information, advising staff of security procedures, stopping retention of information from deactivated accounts and no longer charging users to delete their information.

An investigation by the U.S. Federal Trade Commission (FTC) into the breach remains ongoing.

Image credit: Ashley Madison.

 


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU