Dating web site Ashley Madison was the target of a data breach as a result of inappropriate security safeguards, according to findings of a joint investigation by Australian Privacy Commissioner Timothy Pilgrim, and Privacy Commissioner of Canada (OPC) Daniel Therrien.

Avid Life Media Inc. (ALM) headquartered in Canada is the company that operates a number of adult dating websites, the largest of which is Ashley Madison.

The two agencies jointly investigated the breach at the matchmaking website for marrieds which made headline news around the world and caused massive embarrassment to its user base.

Ashley Madison hosted approximately 36 million user profiles at the time of the data breach, and its 2014 revenue was in excess of US$100 million. At the time of the data breach, ALM employed around 100 staff, the majority of which were based at its headquarters in Toronto.

Although ALM does not have a physical presence in Australia, it conducts marketing in Australia, targets its services at Australian residents, and collects information from people in Australia.

The Australian Privacy Act extends to an act done, or practice engaged in, outside Australia by an organisation where that organisation has an ‘Australian link’ (s 5B(1A)).

At the time of the data breach, the front page of the Ashley Madison website included a series of trust-marks which suggested a high level of security and discretion. These included a medal icon labelled ‘trusted security award’, a lock icon indicating the website was ‘SSL secure’ and a statement that the website offered a ‘100% discreet service’

The report found that the ‘trusted security award’ trust-mark was simply their own fabrication rather than a validated designation by any third party.

It notes that “The fictitious trust-mark appears to have been designed by ALM to deliberately foster a false general impression among prospective users that the organization’s information security practices had been reviewed and deemed high quality by an independent third party. “

The Ashley Madison home page has since been changed by ALM to remove the medal icon labelled ‘trusted security award’ and the statement that the website offers a ‘100% discreet service.’

Under the Australian Privacy Act, organizations are obliged to take such ‘reasonable’ steps as are required in the circumstances to protect personal information

The OAIC and OPC sought, in particular, to understand the protections in place relevant to the path of attack, which was compromised VPN credentials, used to access ALM’s systems undetected for a significant period of time.

At the time of the incident, ALM did not have documented information security policies or practices for managing network permissions.

In early 2015 ALM engaged a full time Director of Information Security, who, at the time of the breach, was in the process of developing written security procedures and documentation. However, this work was incomplete at the time the data breach was discovered.

The report found that ALM had not implemented an intrusion detection system or prevention system and did not have a security information and event management system in place, or data loss prevention monitoring. VPN logins were tracked and reviewed on a weekly basis, however unusual login behaviour, which could give indicators of unauthorized activity, was not well monitored. For instance, it was only in the course of investigating the current incident that ALM’s third party cybersecurity consultant discovered other instances of unauthorized access to ALM’s systems, using valid security credentials, in the weeks immediately preceding its discovery of the breach in question.

“This further reinforces our view that ALM was not adequately monitoring its systems for indications of intrusion or other unauthorised activity.

At the time of the breach, ALM did not have a documented risk management framework guiding how it determined what security measures would be appropriate to the risks it faced. “

ALM has been requested to provide the OPC and OAIC with an independent report on its measures to implement an information security framework by 31 July 2017.

The full report is available HERE.