Avid Life Media, the Toronto-based parent company of the controversial Ashley Madison dating site that was badly breached a year ago, has come under harsh criticism from the privacy commissioners of two countries for its poor data security, concluding the company violated privacy acts of Canada and Australia.
“Although ALM had a range of personal information security protections in place, it did not have an adequate overarching information security framework within which it assessed the adequacy of its information security. Certain security safeguards in some areas were insufficient or absent at the time of the data breach,” says the report issued Tuesday by the office of Canada’s privacy commissioner and the office of the Australian Information Commissioner.
“It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework.”
Among the violations: Placing a fictitious “Trusted Security Award” logo on a Web site “to deliberately foster a false general impression among prospective users that the organization’s information security practices had been reviewed and deemed high quality by an independent third party.”
(This image appeared on the Ashley Madison Australia web site before last year’s breach. Image from the report)
Last month Avid Life Media rebranded itself as Ruby Corp. It announced this morning that it has entered into a compliance agreement with the Canadian privacy commissioner and and enforceable undertaking with the Australian privacy office.
“We hope that by openly speaking about the breach and our commitments to the OPC and the OAIC, we can help other organizations and business leaders who are facing increased cyber security challenges,” Ruby CEO Rob Segal, CEO said in a release. “The company has cooperated with the Commissioners throughout their investigation and will continue to share information with them as we honour the terms of the compliance agreement and enforceable undertaking.”
In particular the report authors say ALM’s security framework was lacking in
- documented information security policies or practices, as a cornerstone of fostering a privacy and security aware culture including appropriate training, resourcing and management focus;
- an explicit risk management process — including periodic and pro-active assessments of privacy threats, and evaluations of security practices to ensure ALM’s security arrangements were, and remained, fit for purpose; and
- adequate training to ensure all staff (including senior management) were aware of, and properly carried out, their privacy and security obligations appropriate to their role and the nature of ALM’s business
A group calling itself the Impact Team took credit for the July, 2015 breach, threatening to publish the stolen data unless ALM shut down its Ashley Madison and Established Men dating websites. ALM refused, and in August a large number of files were posted online, including details from approximately 36 million Ashley Madison user accounts.
The report notes that some of those subscribers received extortion attempts, threatening to disclose their involvement with the site to family members or employers unless they paid up. Not every subscriber used their real names, the report adds. But, it says, “ALM could have reasonably foreseen that the disclosure of the information held by it to an unauthorized person, or to the world at large, could have significant adverse consequences for the many people who could be identified.”
The report agrees with ALM that it can’t be expected to have the same level of documented compliance frameworks as larger and more sophisticated organizations. “However,” the report adds, “there are a range of factors in the present circumstances that indicate that ALM should have implemented a comprehensive information security program. These circumstances include the quantity and nature of the personal information ALM held, the foreseeable adverse impact on individuals should their personal information be compromised, and the representations made by ALM to its users about security and discretion.”
The report believes that the attacker(s) got in by compromising an employee’s valid account credentials, then moved through the network. ALM didn’t have multi-factor authentication, the report points out. “Given the risks to individuals’ privacy faced by ALM, ALM’s decision not to implement multi-factor authentication for administrative remote access in these circumstances is a significant concern,” the report says.
It’s not that ALM was defenceless: Network protections included network segmentation, firewalls, and encryption on all web communications between ALM and its users, as well as on the channel through which credit card data was sent to ALM’s third party payment processor, the report says. All external access to the network was logged. All network access was via a VPN, requiring authorization on a per user basis requiring authentication through a ‘shared secret.’ There was anti-malware and anti-virus software. Particularly sensitive information, specifically users’ real names, addresses and purchase information, was encrypted, and internal access to that data was logged and monitored (including alerts on unusual access by ALM staff). Passwords were hashed using the BCrypt algorithm (excluding some legacy passwords that were hashed using an older algorithm).
But, the report says, there were poor encryption key and password management practices.
“The attacker took a number of steps to avoid detection and to obscure its tracks,” the report says. “For example, the attacker accessed the VPN network via a proxy service that allowed it to ‘spoof’ a Toronto IP address. It accessed the ALM corporate network over a long period of time in a manner that minimized unusual activity or patterns in the ALM VPN logs that could be easily identified. Once the attacker gained administrative access, it deleted log files to further cover its tracks. As a result, ALM has been unable to fully determine the path the attacker took.”
“ALM did have some detection and monitoring systems in place, but these were focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data. ALM had not implemented an intrusion detection system or prevention system and did not have a security information and event management system in place, or data loss prevention monitoring.
“VPN logins were tracked and reviewed on a weekly basis, however unusual login behaviour, which could give indicators of unauthorized activity, was not well monitored. For instance, it was only in the course of investigating the current incident that ALM’s third party cybersecurity consultant discovered other instances of unauthorized access to ALM’s systems, using valid security credentials, in the weeks immediately preceding its discovery of the breach in question. This further reinforces our view that ALM was not adequately monitoring its systems for indications of intrusion or other unauthorized activity.”
The report goes on to say ALM claimed that although no risk management framework was documented, its security program was based on an assessment of potential threats. ALM did undertake patch management and quarterly vulnerability assessments as required under PCI-DSS rules. “However, it could not provide evidence that it had undertaken any structured assessment of the overall threats facing it, or that it had assessed its information security framework through standard exercises such as internal or external audits or evaluations.”
At the time of the breach, a security training program had recently been developed, the report says, but had only been delivered to approximately 25 per cent of staff — principally new hires, C-level executives and senior IT staff.
“Though ALM had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced, and absent an adequate and coherent information security governance framework that would ensure appropriate practices, systems and procedures are consistently understood and effectively implemented,” the report concludes. “As a result, ALM had no clear way to assure itself that its information security risks were properly managed. This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for an organization that holds sensitive personal information or a significant amount of personal information, as in the case of ALM.”
In its agreements with the privacy commissioners Ruby has promised to complete a comprehensive third-party review of the protections it has in place to protect personal information by Dec. 31. In addition, no later than May 31, 2017, the company will further augment, document and implement its information security framework, a process the company says is “well underway.” That includes a mandatory security and privacy awareness training for employees and an ongoing security enhancement process in progress.