Ashley Madison Leak: ‘Life is short, comply with privacy law’
Last year, personal details of 36 million Ashley Madison users were published online by a group identifying as ‘The Impact Team.’ All of these details were linked with profiles whose owners were subscribers to a dating site targeted at people seeking a discreet affair. The leaked information included account information (e.g. email addresses, passwords), profile information (which detailed users’ descriptions of themselves and experiences they were seeking), and billing information.
The Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada conducted a joint investigation into the Ashley Madison leak. Under Australian privacy law, Ashley Madison should have taken such steps as were reasonable in the circumstances to protect the personal information it held. The joint report was recently released, revealing a range of privacy law breaches by Ashley Madison.
What did Ashley Madison do right?
Ashley Madison did take some positive steps to deal with the leak, including:
- taking immediate steps to contain the breach as quickly as possible (including shutting down VPN access);
- issuing a press release and notifying users of the leak by email;
- engaging a cyber-security consultant;
- taking measures to improve information security, including a comprehensive review of their framework, policies, procedures and training of staff;
- voluntarily responding to requests by regulators before the commencement of the investigation; and
- taking steps to limit the spread of leaked information, including issuing takedown notices to websites which published the personal details of users.
The Privacy Commissioners viewed these post-incident actions favourably.
What did Ashley Madison do wrong?
The report details a number of problems with how Ashley Madison handled personal information both before and after the incident. These included:
Inadequate security framework
At the time of breach, there was inadequate documentation and processes around data security, which should have addressed both preventative and detective measures. The Commissioners found that Ashley Madison’s security framework was lacking key elements:
- documented information security policies or practices;
- an explicit risk management process; and
- adequate training of staff.
Indefinite retention and paid deletion of user accounts
The Ashley Madison website retained personal information for an indefinite period, and required users to pay a fee for their accounts to be completely deleted. This breaches Australian privacy laws which require personal information to be destroyed when it is no longer required, and an individual’s personal information to be deleted on request.
Accuracy of email addresses
Ashley Madison did not verify email addresses provided by users, stating that this was a conscious decision aimed at protecting the anonymity of users. This means that incorrect email addresses provided to Ashley Madison could potentially be connected with individuals who are not using the site. This breaches Australian privacy laws which require organisations to take reasonable steps to ensure that the information they collect is accurate, up-to-date, complete and relevant.
Transparency with users
The report states that: