We need your help now
Support from readers like you keeps The Journal open.
You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.
If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.
Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
By continuing, you are indicating that you accept our Terms of Service and Privacy Policy.
THE SECURITY MEASURES Ashley Madison took to protect users’ accounts were described as having “serious shortcomings”.
The Australian Privacy Commissioner and the Privacy Commissioner of Canada held a joint investigation into the site and its security measures and found it didn’t have the “appropriate safeguards in place considering the sensitivity of the personal information [it had]… nor did it take reasonable steps in the circumstances to protect the personal information it held”.
The adult dating site, aimed at those who wanted to have an affair, hosted 36 million user profiles at the time it was hacked back in July 2015.
It also used a fake security trustmark to give users the impression its security was verified by an independent third-party.
“Though ALM (Avid Life Media, Ashley Madison’s parent company) had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced,” the report said. “As a result, ALM had no clear way to assure itself that its information security risks were properly managed”.
This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for an organisation that holds sensitive personal information or a significant amount of personal information, as in the case of ALM.
Those examples of poor security practices included only allowing a single factor of authentication (something you know) instead of including a second form of authentication like a code sent to your phone or a fingerprint or retina scan.
Also, the security measures taken by the company weren’t up to scratch, especially in the area of key and password management. This included the VPN (Virtual Private Network) ‘shared secret’ – a common passphrase used by all VPN users to access a particular network segment – being saved on Google Drive.
This meant that anyone with access to an employee’s account could have potentially discovered it.
Instances where it stored passwords and encryption keys as plain, identifiable text were also found on the systems.
To embed this post, copy the code below on your site
Jaysus! Almost no one commenting. There must be a lot of more worried people than I thought… Keeping your mouth shot is your best bet now Lol.
Maybe they got ‘safewords’ confused with ‘passwords’?
And the rabid NO camp on the SSM debate said the gays would destroy the sanctity of marriage…
What? So they were hoodwinking people? No way. Hey ,I said winking. ….c’mon
Wonder did the clients have short comings
No happy endings here
It took them how long to come to this conclusion???
#noprotection ? #ihopethatsapun
have your say