Poor administrator identity and access management controls were at the heart of last year’s huge data breach at Avid Life Media Inc. (now called Ruby Corp.), the Canadian parent company of Ashley Madison and related global dating sites, that led to the release of personal and information of 36 million user accounts.

The lack of multi-factor authentication for controlling remote administrative access was described as a “significant concern” by the privacy commissioners of Canada and Australia in a joint report issued Tuesday into the breach.

It’s an old but known problem: According to this year’s annual Verizon Data Breach Investigation report, 63 per cent of the 3,141 confirmed data breaches it investigated around the world last year involved leveraging weak, default or stolen passwords.

But the company that advertised itself as having a “100% discreet service” had inadequate security safeguards and policies, the report concluded,

It was one of lessons all Canadian organizations who fall under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) can learn from the international incident, says an addition to the main report.

Those lessons include:

–organizations should carefully consider all potential harms – not just financial – to customers or partners of a breach of personal information in their care so that they can properly assess and mitigate risks. In ALM’s business, loss of personal data could – and did – affect people’s personal reputation;

–Organizations may have firewalls and scanners, but these safeguards should be supported by an adequate information security governance framework, to ensure that practices are “appropriate to the risks” and “consistently understood and effectively implemented.” At ALM, the investigation concluded that the lack of such a framework was an “unacceptable shortcoming” which “failed to prevent multiple security weaknesses.”

–Be straight up with data deletion and retention policies. PIPEDA gives individuals the ability to withdraw consent to the collection and use of their personal information. ALM charged a $19 fee to fully delete a subscriber’s data – and, the report notes, there was confusion on whether data was fully deleted. Whether such a fee is reasonable would have to be evaluated in light of factors such as the actual cost to the organization relative to the fee charged, and the likely influence it would have on the individual’s decision on whether to withdraw consent, the report says.

Even if a fee is reasonable, the report adds, it would have to be clearly and conspicuously communicated prior to an individual providing consent. “Overall,” the report warns, “organizations should treat the decision to implement such a fee with appropriate gravity.”

–Data retention policies should be based on a demonstrable rationale and timeline. ALM legitimately held to deleted profiles for several months for legal reasons. But inactive and deactivated profile information was kept indefinitely.

–Be accurate. ALM required, but didn’t verify, email addresses of registrants. One the one hand, that allowed people to deny being associated with Ashley Madison’s. On the other hand it creates unnecessary reputational risks in the lives of others – someone could create a fake profile using another person’s email address. “The requirement to maintain accuracy must consider the interests of all individuals about whom information might be collected, including non-users,” says the report.

–Be transparent about security. False or misleading statements may impact the validity of user consent. ALM’s home page showed a phony trust mark in the form of a “Trusted Security” icon. “Organizations should be aware that deceptive statements will call into question the validity of consent,” says the report.

–Be clear. Under PIPEDA, consent is only valid if it is reasonable to expect that an individual would understand the nature, purposes and consequences of the collection, use or disclosure of personal information to which they are consenting. “In the ALM investigation, it became clear that even a close reading of the information provided before registration did not offer key information that may have influenced someone’s decision on whether to sign up,” says the report. “For example, there was no mention of the fee to have personal information deleted from the service. Organizations should take note that a failure to be open about personal information handling practices — including omitting or lacking clarity about key practices — may bring into question the validity of consent.”

Ruby’s new CEO has signed a compliance agreement to address these issues.

But for infosec pros the sections on the weakness in remote administrator access control will be of most interest.

ALM thought it had a good system, one that required those with remote access privileges to have three things: a username, a password and a so-called shared secret — a passphrase. (In addition, they’d need to know the VPN group name and the IP address of ALM’s VPN server.)

But, the report notes, all three things are “something you know” – so in effect it was a single-factor ID. Not only that, the shared secret was stored on ALM’s Google drive, so anyone with access to any ALM employee’s drive on any computer, anywhere, could have potentially discovered it.

Had the company insisted administrators use two- or multi-factor authentication the attack might not have been successful.

The details of what happened are still murky, despite a forensic investigation by ALM. The report says the company believes the attacker(s) somehow – phishing, social media, a keylogger? – got hold of an employee’s credentials. The attack was first noticed on July 12, 2015 when IT staff “detected unusual behaviour” in the database management system suggesting an unauthorized access.

However, the company believes the intrusion actually happened several months earlier — that’s logical given the amount of data that was exfiltrated – and the attacker moved around to learn the network topography and gained increasing administrator access.

The report notes that forensic analysts can’t determine some details because once getting administrator access, logs were erased. The attacker also took steps to avoid detection, including accessing the company VPN network via a proxy service that allowed it to spoof a Toronto IP address.

It didn’t help that for an organization with $100 million in revenue ALM didn’t have an intrusion detection or prevention system, a security information and event management (SIEM) system or data loss prevention monitoring.

VPN logins were tracked and reviewed only weekly. Unusual login behaviour – and in this case it’s not clear if the attacker’s actions would have been seen as unusual — was not well monitored, says the report. In fact, it was only while investigating this attack that ALM’s third party cyber security consultant discovered there had been unauthorized access to ALM’s systems — using valid security credentials — in the weeks before the July 12, 2015 discovery. “This further reinforces our view that ALM was not adequately monitoring its systems for indications of intrusion or other unauthorized activity,” says the report.

Ruby has now adopted two-factor authentication for administrators.