Ashley Madison, the website that revealed men looking for affairs, used inadequate privacy and security technology, despite marketing itself as discreet and secure, according to the Office of the Privacy Commissioner of Canada.
Don't Miss: The Best HDR TVs
The report published Tuesday said that the privacy watchdog group found that the company violated privacy laws in Canada and abroad right before the massive data breach showed the clients.
The hack stole identifying details, credit card information, and messages from the site's users. At the time of the breach in July 2015, the website had 36 million users and more than $100 in annual revenue.
The resulting scandal cost the company a quarter of its annual revenue due to customers who cancelled their accounts and demanded refunds.
Working with another agency in Australia, the group says that the company was aware that their security was lacking, but didn't do enough to guard against attacks. The company even used a logo that said "trusted security award" though it was fabricated.
Some of the poor habits that likely led to the breach included inadequate authentication processed and sub-par management practices, according to the report and CBC News.
Many of the efforts to monitor its own security were "focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data," the report found.
The company also kept information after profiles have been deactivated or delete and did not make users aware. They also didn't check the accuracy of email addresses. This also means that people who weren't members of Ashley Madison could have their emails included without their knowledge.
"Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable," privacy commissioner Daniel Therrien said in a statement. "This is an important lesson all organizations can draw from the investigation."
The company did cooperate with the investigation and has received recommendations from the company.
"The company continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses. These investments are the cornerstone of rebuilding consumer trust over the long term," company CEO Rob Segal said in a statement.