Privacy officials in Canada and Australia have found that while Ashley Madison marketed itself as a discreet and secure service, the site for married people seeking affairs in fact had inadequate security safeguards and policies.
More than a year after a massive data breach that made international headlines, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner say their investigation into Ashley Madison has identified numerous violations of the privacy laws of both countries.
In a report released Tuesday, the two agencies say there was a lack of a comprehensive privacy and security framework, even though the site's parent company knew how important it was, and even went so far as to place a fake security trustmark icon on its home page to reassure users.
Though the company did have some security measures in place, the report found several issues, including inadequate authentication processes for employees accessing the company's system remotely and poor key and password management practices.
"Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information," Canada's privacy commissioner, Daniel Therrien, said in a statement.
"Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation."
Last year's hack exposed the personal dealings and financial information of millions of purported clients.
Ashley Madison's parent company, Ruby Corp. — formerly known as Avid Life Media — has said the cyberattack cost it about a quarter of its annual revenue.
The company said Tuesday it has co-operated with the investigation and entered into a compliance agreement that makes the report's recommendations enforceable in court.
It vowed to take several steps to ensure better data security, including completing a comprehensive third-party review of its existing protections by the end of this year — a process the company said is already underway.
Ruby Corp. also committed to further boosting and documenting its information security framework by May 31 of next year, and said mandatory security and privacy training for employees has already been implemented.
"The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term," the company's CEO, Rob Segal, said in a statement.