If anyone should have taken security serious it should have been Ashley Madison
Privacy investigators in Canada and Australia have found that security guarantees on adultery dating website Ashley Madison were insufficient and the business violated privacy laws in both countries.
A joint investigation conducted by the Office of the Privacy Commissioner of Canada and the Office of the Australia Information Commissioner noted that some security measures did exist, but the company “did not have an adequate overarching information security framework.”
In August last year those security issues made international headlines when the Canadian company’s website was hacked into by a group called “The Impact Team.”
Millions of international names, emails and personal information were released in a massive data dump.
The report released by investigators said that Ashley Madison knew that security was a “central part of the service” and reassured customers with security “awards” and statements on its front page.
The company behind controversial infidelity dating site Ashley Madison – the victim of one of the worst corporate computer hacks in recent Canadian history – had “inadequate security safeguards and policies” and deceived users with a “phony trustmark icon” on its homepage, the country’s privacy watchdog found in a year-long investigation made public Tuesday.
In a sweeping order, the Office of the Privacy Commissioner of Canada demanded the company build better internal security systems, offer users more control over their data in order to mitigate the risk of another data breach and also remove fake “security awards” the company had posted on its website. The order, which the company has agreed to, comes just a month after Ruby Corp., formerly known as Avid Life Media (ALM) Inc., appointed a new chief executive officer and launched a marketing campaign aiming to broaden its appeal and win back trust.
Life’s Short, let’s make it easy for hackers!!?
Information provided by ALM in the wake of the breach highlighted several other instances of poor implementation of security measures, particularly, poor key and password management practices. These include the VPN ‘shared secret’ described above being available on the ALM Google drive, meaning that anyone with access to any ALM employee’s drive on any computer, anywhere, could have potentially discovered the shared secret.
Instances of storage of passwords as plain, clearly identifiable text in emails and text files were also found on the systems. In addition, encryption keys were stored as plain, clearly identifiable text on ALM systems, potentially putting information encrypted using those keys at risk of unauthorized disclosure.
Finally, a server was found with an SSH key that was not password protected. This key would enable an attacker to connect to other servers without having to provide a password.