Australian and Canadian Investigators Condemn Ashley Madison Security
Canadian and Australian privacy officials ruled Monday that Ashley Madison had used deceptive and confusing practices to make customers think its service was more secure than it actually was.
Privacy authorities have been investigating the Canadian-based company since last year’s hack, which released the personal information of 36 million users, including names, credit card numbers and sexual fantasies. Even though the website advertised discreet extramarital affairs, the investigators found the company did not meet minimum standards and privacy laws.
The investigators were particularly troubled that the website promoted itself with a fake security award. The website carried a medal icon that read “trusted security award.” Ashley Madison’s parent company, Ruby, later admitted the award was phony and removed it.
Officials were also concerned about the way Ashley Madison stored user data. All information was retained unless a user paid $15 for a full deletion–even if the user had deactivated their account. In both Australia and Canada, it is illegal to store a user’s information indefinitely if their account is deactivated.
On Tuesday, Ruby, formerly known as Avid Life Media, agreed to waive the information deletion fee.
Ruby has also hired a third-party to review its privacy protections, and the company says it plans to introduce new security measures. Despite last year’s breach, Ashley Madison still claims to have 47 million users.
If the company does not comply with the officials’ recommendations, Canadian and Australian courts can intervene.
The U.S. Federal Trade Commission is also investigating Ashley Madison.