Australian Privacy Commissioner Timothy Pilgrim and the Privacy Commissioner of Canada Daniel Therrien have released a report on the Ashley Madison data breach over a year since the incident occurred, finding it breached both countries' privacy acts.
AshleyMadison.com, a website that urged its users to "have an affair," suffered the data breach in July 2015, in what was one of the most public security breaches to date. Around 37 million people were caught up in the attack that saw the personal data of users, including credit card information, leaked online.
Commissioners Pilgrim and Therrien initially opened the joint investigation into the breach in August last year, publishing their findings [PDF] 12 months later.
The Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner and Acting Australian Information Commissioner states the primary issue under investigation was the adequacy of the safeguards in place to protect the personal information of users, finding Ashley Madison breached both the Australian Privacy Act and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
The investigation considered the data handling practices of Ashley Madison's parent company Avid Life Media Inc -- recently rebranded as Ruby Corp -- in relation to retaining a user's personal information after they had paid the required fee to delete their profile.
Headquartered in Toronto, Canada, Avid Life Media operates three other websites: Cougar Life, Established Men, and Man Crunch. The company pulled in over AU$100 million in operating revenue in 2014 from its affair-enabling website alone.
As previously reported by ZDNet, the hackers behind the breach, Impact Team, gave Ashley Madison an ultimatum that said unless Avid Life Media shut down the Ashley Madison and Established Men websites it would publish stolen data online. On August 18, 2015, Impact Team released a data dump approximately 10GB in size which contained member information including email addresses and credit card details.
Avid Life Media told the commissioners it believes the attacker had some level of access to its network for at least several months before the actual breach, admitting it was a targeted rather than opportunistic attack.
At the time of the attack, the organisation said it had a number of safeguards in place, including keeping its servers in an isolated, locked room with access limited by keycard to authorised employees; and production servers stored in a cage at a third party's facility, with entry requiring a biometric scan, an access card, photo ID, and a combination lock code.
The report found that at the time of the incident, Avid Life Media did not have documented information security policies or practices for managing network permissions; it also found the organisation had not implemented a number of commonly used detective countermeasures that could facilitate detection of attacks or identify anomalies indicative of security concerns.
"[Avid Life Media] did have some detection and monitoring systems in place, but these were focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data," the report said.
The company had not implemented an intrusion detection system or prevention system and did not have a security information and event management system in place, or data loss prevention monitoring, the commissioners found. Additionally, the report said VPN logins were tracked and reviewed on a weekly basis; however unusual login behaviour, which could give indicators of unauthorised activity, was not monitored.
Avid Life Media also confirmed it did not have a documented risk management framework guiding how it determined what security measures would be appropriate to the risks it faced.
As a result of the investigation, Pilgrim said Avid Life Media has offered binding, court enforceable commitments to each commissioner to improve its personal information practices and governance.
Pilgrim believes this result provides closure.
"While [Avid Life Media] fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best run companies," Pilgrim said.
"The lesson for consumers is to make informed choices about providing personal information and to take privacy into their own hands. Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is 'breach-proof'."
Pilgrim and Therrien recommend that organisations holding sensitive personal information or a significant amount of personal information should have adequate information security measures in place, such as a security policies, an explicit risk management process, adequate expertise, and privacy and security training for all staff.
Speaking on ABC News 24 on Wednesday, Pilgrim offered up some safeguards an organisation should have in place to avoid experiencing a breach of a similar nature to the Ashley Madison one.
"First of all there needs to be much higher levels of protection about what sort of passwords organisations are using, much greater use of encryption methods when the information is being protected and within the servers, making sure it's hard for them to be able to move about by having a lot of stronger protection in terms of passwords within the system and other protocols and at a basic level, fundamentally train staff about their responsibilities," he said.
He said individuals should be aware of why they are giving over their personal information and what is going to happen to it, noting it is incumbent on the organisation to protect the information to appropriate standards -- which he said Ashley Madison did not do.
"The user signed up looking at Ashley Madison's policies and they would have entered into the agreement expecting a certain level of protection once they provided their information and that was severely lacking in this circumstance," he said.
"Ashley Madison was at breach of our privacy act and also the Canadian privacy act for not having those standards in place."
A class-action lawsuit was lodged against Avid Life Media in Canada, seeking damages of up to $760 million on behalf of Canadians whose data was been leaked online.
Individuals that signed up are also able to lodge an individual complaint via the Australian commissioner's office, which could see them remunerated for the leak of their private information without getting the courts involved.
Under the Australian Privacy Act, organisations are required to destroy or de-identify personal information once it no longer needs the information for any purpose; similarly, under PIPEDA Principle 4.5, personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
The commissioners recommend that Avid Life Media cease its practice of retaining indefinitely personal information of users whose accounts are deactivated or inactive.
The pair also urged Avid Life Media to be more transparent with users, noting "the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organisation's activities are directed would understand the nature, purpose, and consequences of the collection, use or disclosure of the personal information to which they are consenting".