On August 22, 2016, Canada’s Privacy Commissioner released its report on the security practices of Avid Life Media Inc (ALM, rebranded as Ruby Corp), the Toronto-based parent company of the Ashley Madison dating site. Ashley Madison came under scrutiny last year after a massive data breach exposing personal information of more than 32 million Ashley Madison users worldwide.
The Privacy Commissioner found that the company lacked a comprehensive privacy and security framework, despite the fact that Ashley Madison marketed itself as a “100% discreet service” for people seeking to have affairs. The company went so far as to place a phoney trustmark icon on its home page to reassure its users. The company’s officials removed their fabricated trustmark once the fraud was exposed.
Overall, the Privacy Commissioner found the following major security failures:
- Inadequate authentication processes for employees accessing the company’s system remotely;
- While ALM’s network protections included encryption on all web communications between the company and its users, the encryption keys were stored as plain, clearly identifiable texts on ALM’s systems;
- Poor key and password management practices; and
- Storage of passwords as plain, clearly identifiable text in emails and text files on the company’s systems.
Summary By: Jennifer R. Davidson
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
