Privacy watchdogs: Ashley Madison's security was 'unacceptable'

The online security of notorious cheating website Ashley Madison had "unacceptable shortcomings."

That fact must have been bitterly obvious to any of its users who had their names, emails and banking details leaked online in mid-2015. It's also the final judgment of a joint investigation between the Australian Privacy Commissioner and the Privacy Commissioner of Canada, the results of which were published Wednesday.

Owned by Avid Life Media (ALM), the site's troubles began in July 2015 when a hacking group called The Impact Team threatened to leak user details unless the company shut down two of its adult dating sites, Established Men and Ashley Madison.

Not long after, up to 36 million Ashley Madison user accounts were dumped online. Many of those accounts were later determined to be fem-bots set up by the company to interact with male users; a practice the company has said it no longer indulges in.

The privacy commissioners of both countries began their joint investigation in August 2015, focusing on the security safeguards put in place by ALM, now renamed as Ruby Corp.

Of particular concern were four questionable practices: The retaining of personal data after a user had deleted their account, the company's policy of charging for what it called a "full delete," its failure to confirm email addresses and its lack of transparency about how it handled user data.

The report found ALM had failed to put in place an "explicit risk management process," and had also failed to properly train staff about their privacy obligations.

"While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best run companies," Australian Privacy Commissioner Timothy Pilgrim said in a statement.

Ruby Corp has offered court-enforceable commitments to both commissioners that it will improve its security practices. "The company continues to make significant, ongoing investments in privacy and security," Ruby Corp CEO Rob Segal said in a statement. It is now offering free account deletion to users, among other changes.

Let's hope the security updates are sufficient, because Ashley Madison is now trying to woo back customers.

According to Mark Gregory, privacy expert and senior lecturer at Melbourne's RMIT University, the report highlights the need for mandatory data breach laws to be passed in Australia.

"The recommendations are all very good, the problem is that it's all happened far too late and far too much damage has been done," he told Mashable Australia.

In his view, such laws would force companies to improve their security systems, for fear of falling afoul of a requirement to mandatorily contact people and tell them what had happened.

Australian companies do not have a clean slate when it comes to the leaking of personal customer details online. In 2015, Kmart and David Jones suffered data breaches, among others.

In 2015, the government released a draft of a data breach notification bill, but its progress through parliament has stalled. The government "remains committed" to introducing the mandatory data breach notification legislation, an Attorney-General's Department spokesperson told Mashable Australia.

Gregory said the government is letting down consumers by not passing the legislation and putting the onus on the industry to improve their security practices.

"The lack of mandatory data breach reporting legislation, the lack of legislated penalties for failing to comply with reasonable privacy requirements -- it makes you wonder, what onus would there be for a company like Ashley Madison to do anything recommended in the report in Australia?

UPDATE: Aug. 25, 2016, 2:19 p.m. AEST Attorney-General's Department statement added.