It's been a year since extramarital dating site Ashley Madison was hacked and the details of users were made public. No doubt marriages ended as a result of the hack but the event also highlighted just how crap Ashley Madison was at managing IT security and privacy. A joint investigation by Australian and Canadian privacy authorities has brought to light the website's shortcomings and what businesses (as well as consumers) can learn from the hacking incident.
The Australian Privacy Commissioner Timothy Pilgrim and Privacy Commissioner of Canada Daniel Therrien has concluded their joint investigation into the Ashley Madison hacking scandal that occurred in August last year. At the time, hackers had gained access to Ashley Madison's database of 36 million users, 670,000 of which were from Australia. The personal details of users were then released. Considering the website specialises in providing dating services for individuals who want to have an affair, the hacking would have ruined a lot of relationships.
It also inadvertently exposed the fact that many of the potential partners that were on Ashley Madison were actually bots.
Commissioners Pilgrim and Therrien have released a report detailing how events transpired with the Ashley Madison hack and pointed out the website's woeful inadequacies when it came to IT security and privacy. For one, Avid Life Media (ALM), the parent company of the website, did not have documented IT security policies or practices for managing network permissions, which is a basic security safeguard for organisations, especially ones that hold so much personal data:
"[T]he investigation team found critical gaps in security coverage indicative of the absence of appropriate policies and practices. For instance, security policies and procedures should cover both preventive and detective measures. According to information provided, ALM had not implemented a number of commonly used detective countermeasures that could facilitate detection of attacks or identify anomalies indicative of security concerns. While such systems would not necessarily have detected intrusions such as the one by the attacker, they are important lines of defense that could potentially limit the adverse impact of attacks."
While ALM did have detection and monitoring systems in place, they were focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data. Unusual login behaviour, which could give indicators of unauthorised activity, was not well monitored.
There was also no risk management framework, no security training program for staff -- the list goes on. According to the report: "This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for an organisation that holds sensitive personal information or a significant amount of personal information, as in the case of ALM."
One key things ALM failed to do, which was highlighted in the report, was to destroy or de-identify personal information no longer required. For companies that have no done this, it's a good time to remind them that, as part of the Australian Privacy Act, "organisation must take reasonable steps to destroy or de-identify information it no longer needs for any purpose for which the information may be used or disclosed under the Australian Privacy Principles (APPs). This means that an APP entity will need to destroy or de-identify personal information it holds if the information is no longer necessary for the primary purpose of collection, or for a secondary purpose for which the information may be used or disclosed under APP 6".
Commissioner Pilgrim said the report findings show the risk to businesses when they don't have proper risk management processes in place to protect personal information:
"This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security. The report offers important lessons to any businesses relying on personal information as part of their business model.”
He also wanted to remind consumers that they need to make informed choices when it comes to providing their personal information online and to take privacy into their own hands:
"Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is 'breach-proof'."
You can find the investigation report here.