A joint investigation by both Australian and Canadian government officials into the Ashley Madison hack in July 2015 discovered a lack of risk management procedures.
The hack saw the data of approximately 36 million users of the extra-marital dating website uploaded online, despite promises before the breach from ALM (Avid Life Media Inc, now Ruby Corp, Ashley Madison’s parent company) that user data was secure.
As outlined in the report, at the time of the hack ALM did not have any adequate policies to deal with a breach. One major underlying fault with ALM’s privacy concerns related to its function to delete user data.
Before the breach, users could pay to have their data deleted from ALM’s database, which was said to occur within a 24- to 48-hour period. However, Ashley Madison privately held onto this data for 12 months.
Furthermore, due to an alleged error, user information such as photos was held beyond that 12-month period.
Additionally, if a user initiated a fraudulent chargeback, claiming to their bank that they were not a user of Ashley Madison to obtain a refund, user information for those accounts was held by ALM.
Users were only informed of their information being held after purchasing the full delete option, and the policy regarding credit card chargebacks was hidden away in the terms and conditions.
The report outlined that these policies, and a lack of security breach policies, are inadequate for a business that holds user information.
“ALM had no clear way to assure itself that its information security risks were properly managed,” the report stated.
“This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for [a business] that holds sensitive personal information or a significant amount of personal information.
“Having documented security policies and procedures is a basic security safeguard, particularly for [a business] holding significant amounts of personal information.”
The Australian Privacy Commissioner, Timothy Pilgrim, said that the findings of the joint investigation showed what happens to businesses that store customer data and do not have adequate risk management policies in place.
“This incident shows how that approach goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security,” Mr Pilgrim said.
“The report offers important lessons to any businesses relying on personal information as part of their business model.”
Mr Pilgrim added that while ALM did not meet any requirements for a business managing personal information, breaches can occur in even the best-run businesses.
According to Mr Hurren, a key aspect of digital security is making sure your strategies are up to date and your systems follow the basics of a healthy environment.
“[A healthy environment involves] making sure that you do have backups of your data, making sure your operating system and applications are up to date, that you have appropriate tools to meet the risks,” Mr Hurren said.
He added: “User awareness is key. At the end of the day, you have users that are interacting with your systems, and a lot of the time they're the ones that are being targeted ... so [make sure you know] what the risks are.”