AshleyMadison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs, the Office of the Privacy Commissioner of Canada says.
In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers.
The hack stole correspondence, identifying details and even credit card information from millions of the site's users. At the time of the breach in July 2015, AshleyMadison claimed to have 36 million users and took in more than $100 million in annual revenue.
The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts.
Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn't do enough to guard against being hacked. The company even adorned its website with the logo of a "trusted security award" — a claim the company admits it fabricated.
Poor habits such as inadequate authentication processes and sub-par key and password management practices were rampant at the company, the report found.
Much of the company's efforts to monitor its own security were "focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data," the report found.
- AshleyMadison data hack fails to spur cybersecurity overhaul
- AC/DC tweets prompt speculation about AshleyMadison hacker's ID
The company also inappropriately retained some personal information after profiles had been deactivated or deleted by users and did not adequately ensure the accuracy of customer email addresses, the report said. This meant that some people who had never signed up for Ashley Madison were included in databases published online after the hack, it said.
"Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable," privacy commissioner Daniel Therrien said in a statement. "This is an important lesson all organizations can draw from the investigation."
The company co-operated with the privacy watchdog's investigation and has agreed to a compliance agreement. That means if it is found later to have ignored any of the report's recommendations, it could be held liable in court.
"The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term," company CEO Rob Segal said in a statement.