Ashley Madison Leak: ‘Life is short, comply with privacy law’

Last year, personal details of 36 million Ashley Madison users were published online by a group identifying as ‘The Impact Team.’ All of these details were linked with profiles whose owners were subscribers to a dating site targeted at people seeking a discreet affair. The leaked information included account information (e.g. email addresses, passwords), profile information (which detailed users’ descriptions of themselves and experiences they were seeking), and billing information.

The Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada conducted a joint investigation into the Ashley Madison leak. Under Australian privacy law, Ashley Madison should have taken such steps as were reasonable in the circumstances to protect the personal information it held. The joint report was recently released, revealing a range of privacy law breaches by Ashley Madison.

What did Ashley Madison do right?

Ashley Madison did take some positive steps to deal with the leak, including:

  • taking immediate steps to contain the breach as quickly as possible (including shutting down VPN access);
  • issuing a press release and notifying users of the leak by email;
  • engaging a cyber-security consultant;
  • taking measures to improve information security, including a comprehensive review of their framework, policies, procedures and training of staff;
  • voluntarily responding to requests by regulators before the commencement of the investigation; and
  • taking steps to limit the spread of leaked information, including issuing takedown notices to websites which published the personal details of users.

The Privacy Commissioners viewed these post-incident actions favourably.

What did Ashley Madison do wrong?

The report details a number of problems with how Ashley Madison handled personal information both before and after the incident. These included:

Inadequate security framework

At the time of breach, there was inadequate documentation and processes around data security, which should have addressed both preventative and detective measures. The Commissioners found that Ashley Madison’s security framework was lacking key elements:

  • documented information security policies or practices;
  • an explicit risk management process; and
  • adequate training of staff.

Indefinite retention and paid deletion of user accounts

The Ashley Madison website retained personal information for an indefinite period, and required users to pay a fee for their accounts to be completely deleted. This breaches Australian privacy laws which require personal information to be destroyed when it is no longer required, and an individual’s personal information to be deleted on request.

Accuracy of email addresses

Ashley Madison did not verify email addresses provided by users, stating that this was a conscious decision aimed at protecting the anonymity of users. This means that incorrect email addresses provided to Ashley Madison could potentially be connected with individuals who are not using the site. This breaches Australian privacy laws which require organisations to take reasonable steps to ensure that the information they collect is accurate, up-to-date, complete and relevant.

Transparency with users

Privacy laws require organisations to inform individuals of certain matters concerning the organisation’s practices concerning handling of personal information. At the time of the breach, the Ashley Madison homepage prominently displayed multiple ‘trust-marks’ which conveyed a high level of security and discretion for the site. For example, the home page included an icon with the words ‘trusted security award’ and a statement that the website offered a ‘100% discreet service.’ The website also provided information regarding personal information handling in the Terms and Conditions, and Privacy Policy.

The report states that:


[Ashley Madison] did provide some information about their security safeguards and account closure options and retention practices, critical elements of their practices that would have been material to prospective users’ decision to join Ashley Madison were either absent, difficult to understand or deceptive.

The Commissioners found that the ‘trust-marks’ on the homepage were fabricated by Ashley Madison, rather than validated designations by third parties. Statements in the Terms and Conditions and Privacy Policy regarding retention of information and deletion of accounts were found to be confusing. Further, users which opted for the paid ‘full delete’ option were not informed until after payment that their information would be retained for another 12 months. These issues also constituted breaches of Australian privacy laws.

What does Ashley Madison need to do to comply with privacy laws?

Ashley Madison has agreed to an enforceable undertaking sought by Australian Privacy Commissioner. This undertaking requires Ashley Madison to make certain changes, such as conducting comprehensive reviews and implementing an enhanced security framework.

Lessons from the Ashley Madison leak

The Ashley Madison data breach and subsequent report provide important lessons for any business that collects and uses personal information. The appropriate policies, processes, framework and training can help safeguard against data breaches, and prevent reputational and legal risks. As the Privacy Commissioner now has a wide range of powers to impose penalties, compliance with privacy law is paramount. It is important that businesses adopt a systematic, risk-based approach to the handling of personal information. Take stock of the personal information your business collects, how it is used, who uses it, how it is stored and how long it is retained. Engage experts to review your data security, policies, procedures and training to minimise your potential liability for data breaches.

Our expert commercial lawyers are experienced in advising Newcastle and Sydney businesses on the application of the Australian Privacy Principles. We can help you draft or review policies, procedures and collection notices to ensure compliance with privacy laws. Please don’t hesitate to contact Butlers Business and Law on (02) 4929 7002 or fill out an enquiry form on our website.