AshleyMadison security protocols violated privacy laws, watchdog says

AshleyMadison used inadequate privacy and security technology while marketing itself as a discreetand secure way for consenting adults to have affairs, the Office of the Privacy Commissioner of Canada says.

In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers.

The hack stole correspondence, identifying details and even credit card information from millions of the site's users. At the time of the breach in July 2015, AshleyMadison claimed to have 36 million usersand took in more than $100 million in annual revenue.

• AshleyMadison's members by the numbers
• AshleyMadison pitches relaunch with new ad campaign

The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts.

Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn't do enough to guard against being hacked. The company even adorned itswebsite with the logo of a "trusted security award" a claimthe company admits it fabricated.

• AshleyMadison CEO steps down amid massive data breach

Poor habits such asinadequate authentication processes and sub-par key and password management practices were rampant at the company, the report found.

Much of the company's efforts to monitor its own security were "focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data," the report found.

• AshleyMadison data hack fails to spur cybersecurity overhaul
• AC/DC tweets prompt speculation about AshleyMadison hacker's ID

The company also inappropriately retained some personal information after profiles had been deactivated or deleted by users and did not adequately ensure the accuracy of customer email addresses, the report said. This meant that some people who had never signed up for Ashley Madison were included in databases published online after the hack, it said.

"Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable," privacy commissionerDanielTherriensaid in a statement. "This is an important lesson all organizations can draw from the investigation."

The company co-operated with the privacy watchdog's investigation and has agreed to a compliance agreement. That means if it is found later to have ignored any of the report's recommendations, it couldbe held liable in court.

"The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term," company CEORob Segalsaid in a statement.