The Ashley Madison dating site had “inadequate” security systems and used fake icons to make people think it was safe, reveals a report.
The Toronto-based firm’s security systems were investigated by privacy watchdogs in Canada and Australia.
The attack on Ashley Madison in July 2015 took data on millions of users.
Avid Life Media, which owns Ashley Madison, has already said it will abide by the report’s findings to improve the way it handles data.
Canada’s Office of the Privacy Commissioner (COPC) and the Office of the Australian Information Commissioner started an investigation into how Avid Life Media handled customer data soon after the attack.
The report released this week revealed that Avid Life violated privacy laws in both countries thanks to the lax way it oversaw data that users surrendered to it when they signed up.
“Privacy breaches are a core risk for any organisation with a business model based on the collection and use of personal information,” said Daniel Therrien, Canada’s privacy commissioner, in a statement.
He said that although the site billed itself as “100% discreet” it did not do enough to protect personal data because well-known security safeguards were “insufficient or absent”.
“Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable,” added Mr Therrien.
The failings found in the report included system passwords being held in plain text on easy-to-access internal servers and in emails and text files that were regularly passed around within the company. Avid also did little to properly authenticate who was accessing its systems remotely, said the report.
“Ashley Madison’s shortcomings were generally avoidable through relatively straightforward measures,” said Marc Dautlich, an information law expert at Pinsent Masons. “And the cost of the consequences which it has now incurred are far greater than the cost of prevention would have been.”