The company that owns the affair dating site Ashley Madison, which was behind a mass privacy breach, has agreed to court-enforceable improvements in handling personal information.
A joint Australian and Canadian privacy commissioner investigation into how the details of millions of users were published online by hackers has released a "highly critical" report of the website's privacy.
Among the users were hundreds of Australian government employees and thousands of citizens, including some who had paid Ashley Madison to delete their accounts.
The hacked data, released on the dark web last year, included credit card details, email accounts and home addresses.
The joint report investigated the privacy practices of parent company Avid Life Media, and found it did not have an adequate information security framework.
News that makes sense
Your trusted source for staying up-to-date with the world around you. Get free daily news updates and analysis, straight to your inbox.
In the first ever joint Australian and Canadian privacy investigation, the commissioners investigated ALM's retention of personal information after profiles were deactivated.
They also looked at ALM's practice not to confirm the accuracy of users' email addresses and its transparency over handling of personal information.
The report made a series of recommendations, all of which ALM has agreed to implement.
Among them are reviewing protections of personal information, advising staff of security procedures, stopping retention of information from deactivated accounts and no longer charging users to delete their information.
The hackers, who called themselves the Impact Team, demanded the site be shut down before releasing the data in retaliation.
The commissioners say the report contains important lessons for other organisations that hold personal information.
"The findings of our joint investigation reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information," Australian privacy commissioner Timothy Pilgrim said.
Companies must think beyond IT systems to staff training, policies, oversight and clear lines of authority, he said.
The commissioner also used the report to warn customers to guard their personal data.
"While ALM fell well short of the requirements we would expect for an organisation managing personal information, breaches can occur in the best-run companies," Mr Pilgrim said.
"Be clear about what you are providing, the value you are getting in exchange, and understand that no organisation is breach-proof."
