According to a joint investigation by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner, ALM had “inadequate security safeguards and policies” in place.
In particular, a lack of a centralized and robust cybersecurity framework was one of the most notable shortcomings, which further highlighted the company’s underestimation of what is required to keep data safe.
In spite of gaping holes in its security, the company nevertheless had in place a “phoney trustmark icon on its homepage to reassure users” that their personal information was safe and secure.
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” stated Daniel Therrien, privacy commissioner of Canada.
“Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable.”
Mr Therrien concluded by saying that all organizations should learn from the Ashley Madison data breach – they need to invest in cybersecurity and ensure that it’s proactively dealt with.
The Impact Team claimed responsibility for the attack on July 12th by posting a message on the computers of Ashley Madison employees. With the music of AC/DC playing in the background, it read:
“We are the Impact Team. We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records [and] emails.
“Shutting down AM [Ashley Madison] and EM [Established Men] will cost you, but non-compliance will cost you more: We will release all customer records, profiles … and matching credit card details … Avid Life Media will be liable for fraud and extreme harm to millions of users.”
Over 37 million people from around the world were affected by the Ashley Madison data breach.
by Narinder Purba, ESET We Live Security