The Australian Privacy Commissioner has released the final report on the Ashley Madison data breach which was a joint investigation with the Privacy Commissioner of Canada into the website’s handling of the personal information of its users.

At the time of the breach in August 2015, Ashley Madison (operated by Avid Life Media Inc.(ALM)) had approximately 36 million user profiles, including many Australians. The data breach included people’s account information, email addresses, security questions and in some cases billing and geolocation information.

The investigation initially examined the circumstances of the data breach and how it had occurred. It then considered ALM’s information handling practices that may have affected the likelihood or the impact of the data breach.

The report is highly critical of the dating website’s privacy and personal data security practices: there was no dedicated risk management process in place to protect personal information.

The report shows how risk management goes beyond ‘IT issues’ and must include training, policies, documentation, oversight and clear lines of authority for decisions about personal information security.

The primary issue under consideration was the adequacy of the safeguards ALM had in place to protect the personal information of its users. Although ALM’s security was compromised, a security compromise does not necessarily point to a contravention of the Australian Privacy Act. Whether a contravention the Australian Privacy Act occurred depends on whether ALM had, at the time of the data breach taken such steps as were reasonable in the circumstances to protect the personal information it held. The investigation identified a number of contraventions of the Australian Privacy Principles.

The investigation considered the following related information handling practices of ALM:

• ALM’s practice of retaining personal information of users after profiles had been deactivated or deleted by users, and when profiles were inactive (that is, had not been accessed by the user for an extended period of time);
• ALM’s practice of charging users to “fully delete” their profiles;
• ALM’s practice of not confirming the accuracy of user email addresses before collecting or using them; and
• ALM’s transparency with users about its personal information handling practices.

The Report concludes:

Although ALM had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security. Certain security safeguards in some areas were insufficient or absent at the time of the data breach.

The findings of this report include important lessons for other organizations that hold personal information. The most broadly applicable lesson is that it is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external). This is especially the case where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected. Organizations holding sensitive personal information or a significant amount of personal information, as was the case here, should have information security measures including, but not limited to:
•a security policy(cies);
•an explicit risk management process that addresses information security matters, drawing on adequate expertise; and
•adequate privacy and security training for all staff.

It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework.

The OAIC and OPC provided a number of recommendations for ALM to follow to ensure it addressed the issues discussed in this report and brings itself into compliance with PIPEDA and the Australian Privacy Act with respect to those issues.

The … Acting Australian Information Commissioner has accepted an enforceable undertaking, from ALM. …ALM will be required to take significant additional steps to address the issues identified in this report to protect the privacy of individuals, some of which have already been initiated by ALM.