Australian Privacy Commissioner Timothy Pilgrim has tested the jurisdictional limits of his role by ruling Canadian company Avid Life Media breached local privacy laws when its dating website Ashley Madison lost sensitive customer data in a 2015 attack.
The Office of the Australian Information Commissioner has published the findings of a joint review with its Canadian counterparts, claiming it has the power to use the Australian Privacy Act against the overseas entity because the personal information of Australians was caught up in the high-profile breach.
The pair have issued a number of court-enforceable actions to the discredited company, and a failure to comply with them could see it incur fines of up to $1.7 million at the Australian end alone.
The probe found the Toronto-based company had inadequate safeguards in place, including poor password management and a fabricated security trustmark on the website's home page.
While the company did have some personal information protections in place, it fell short in implementing those measures, the report found. For instance, it said some passwords and encryption keys were stored as plain, identifiable text on the company's systems.
The site fell short of the 'reasonable steps' to steps to secure personal information demanded by the Australian Privacy Act, with no discernible intrusion monitoring system in place to detect unusual activity.
The company argued that "it cannot be expected to have the same level of documented compliance frameworks as larger and more sophisticated organisations."
But the commissioners responded that due to the "quantity and nature of the personal information ALM held, the foreseeable adverse impact on individuals should their personal information be compromised, and the representations made by ALM to its users about security and discretion," they had a duty to protect the data better.
At the time of the breach, Ashley Madison's home page displayed various trustmarks suggesting a high level of security, including an icon labeled "trusted security award," the report said. Company officials later admitted they had fabricated the trustmark and removed it.
The company also inappropriately retained some personal information after profiles had been deactivated or deleted by users and did not adequately ensure the accuracy of customer email addresses, the report said.
This meant that some people who had never signed up for Ashley Madison were included in databases published online after the hack - including the Prime Minister of New Zealand - as well as users who had paid a CAD$19 fee to have their accounts fully wiped, but whose data AML still held onto beyond legal limits.
Among the investigators' recommendations, Ashley Madison's parent company will have until the end of the year to complete a review of the protections it has in place for the protection of personal information. The company said on Tuesday the review was a key priority and already underway.
The company is also the target of a US Federal Trade Commission investigation, Avid Life Media executives told Reuters in July.
The FTC's consumer protection unit investigates cases of deceptive advertising, including instances when consumers are told that their information is secure but then it is handled sloppily.
The FTC could not immediately be reached for comment.