The investigation report on the Ashley Madison data breach has blamed lax security measures as one of the primary reasons behind the breach – a reason that is almost a pandemic when it comes to cybersecurity across the globe.
The investigation into the data breach was carried out jointly by Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner and they have blamed the “inadequate security safeguards and policies” that were in place at Avid Life Media (ALM), now Ruby Corp.
The investigation report pointed out that there was a lack of a centralized and robust cybersecurity framework, which the investigators pegged as the most notable shortcomings. Further, the investigators also found that the company effectively underestimated the security requirements that were required to keep data safe.
Another startling find was the despite of the fact that there were massive holes in security, the Ashley Madison site had in place a “phoney trustmark icon on its homepage to reassure users” about the security of their data.
“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” stated Daniel Therrien, privacy commissioner of Canada. “Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable.”
The investigator report notes that though the parent company had in place a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security. Certain security safeguards in some areas were insufficient or absent at the time of the data breach.
The findings of this report include important lessons for other organizations that hold personal information. The most broadly applicable lesson is that it is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external).
Mr Therrien concluded by saying that all organizations should learn from the Ashley Madison data breach – they need to invest in cybersecurity and ensure that it’s proactively dealt with.