The Ashley Madison website.
Photograph by Carl Court—Getty Images

How not to do data security

By Jeff John Roberts
August 25, 2016

If a company’s main product is discreet sexual services, it should probably lock down its customer data good and tight. Ashley Madison, a website for adultery, took a different approach: it employed terrible safeguards, and sought instead to reassure users by posting a fake icon called “trusted security award” on its website.

Those are the conclusions of a damning report from Canadian and Australian privacy regulators, who have been investigating Ashley Madison over a calamitous data breach that occurred last year. The breach saw hackers steal the names and emails of 36 million Ashley Madison members, and then post them publicly as part of an apparent blackmail campaign.

The privacy report, released on Tuesday, described a host of security failings, while pointing Ashley Madison knew exactly how important discretion and secrecy was to its users.

Specific security failings included leaving an important password on a shared Google Drive, and storing encryption keys and passwords in plain text. And then there’s the “award.”

“Finally, with respect to transparency, investigators found that at the time of the breach, the home page of the Ashley Madison website included various trustmarks suggesting a high level of security, including a medal icon labelled “trusted security award,” says a release related to the report.

A spokesperson for Ashley Madison pointed to a company blog post about the report. In the post, Ashley Madison’s new CEO explains the company is investing in new security measures as part of a process to rebuild consumer trust.

Get Data Sheet, Fortune’s technology newsletter.

Meanwhile, Ashley Madison is also struggling to stave off a sweeping class action lawsuit that seeks compensation for the millions of people affected by the breach.

The lawsuit overcame an important hurdle recently when a number of former Ashley Madison users agreed to put their names on the lawsuit. In December, a judge ruled the lead plaintiffs had to provide their real names and could not sue as “John Doe” to avoid embarrassment.

According to Jim McDonough, one of the lawyers for the users, the company is trying to push the case into arbitration but is unlikely to succeed. McDonough added that an alleged arbitration clause on the website is not enough to bind the users, and that he expects to seek so-called “class certification” soon.

As for Ashley Madison, the company appears to be pursuing business as usual. This is perhaps surprising given its horrible 2015 that included not only the disastrous data breach, but reports that many of the alleged women on its site were actually bots.

The company has, however, changed the name of its parent company from Avid Media to Ruby, and its homepage now declares it is “so much more” than a place for infidelity.

SPONSORED FINANCIAL CONTENT

You May Like