Report: Ashley Madison Violated Australian Law
CANBERRA, Australia – A little more than a year after a massive data breach exposed the sordid details about 37 million members of infidelity dating site Ashley Madison, government officials in Canada and Australia have released a scathing report following a joint investigation into the site’s operation. The report takes the parent company, Canada-based Avid Life Media Inc., to task not only for woefully inadequate security measures and risk-management protocols, but also for deceptive and confusing marketing practices designed to make members believe their personal information would be safe.
Those marketing practices included boasting about a security award that doesn’t exist.
In July 2015, Ashley Madison’s servers were breached by a hacker collective calling itself Impact Team. The group vowed to dump all the sensitive data it stole onto the dark web unless ALM shut down Ashley Madison and another controversial dating website. ALM refused to comply, Impact Team dumped the data, and the entire world was scandalized when the names of some very rich, very powerful, very high-profile people were on the list.
The Australia-Canada joint report determined ALM violated both the Australian Privacy Act 1988 and the Canadian Personal Information Protection and Electronic Documents Act, specifically with regard to:
ALM’s practice of retaining personal information of users after profiles had been deactivated or deleted by users, and when profiles were inactive (that is, had not been accessed by the user for an extended period of time).
ALM’s practice of charging users to “fully delete” their profiles.
ALM’s practice of not confirming the accuracy of user email addresses before collecting or using them.
ALM’s transparency with users about its personal information handling practices.
ALM, which rebranded as Ruby in July 2016, is now under an “enforceable undertaking” ordering it to rectify the deficiencies the report listed and implement new policies and procedures that protect information more robustly. The company must bring 13 shortcomings into compliance by March 31, 2017.
A U.S. Federal Trade Commission investigation reportedly is in progress.