Life Is Short; Affairs Are Expensive: The Ashley Madison Breach and Its Aftermath

By Peggy Daley

In July 2015, hackers calling themselves “Impact Team” announced an unusual data breach. The hackers claimed to have obtained customer and operational data from Ashley Madison, an online social networking site that markets itself as a place for people interested in “casual encounters, married dating, discreet encounters and extramarital affairs.” The hackers claimed to have compromised the website’s approximately 37 million user profiles, corporate financial records, and other confidential information. In short order, the names of two users and their profiles were posted online along with, allegedly, maps of corporate servers and banking and salary data. The group threatened to post more user information unless the owner of the site, Avid Life Media (ALM), took Ashley Madison and another similar “cheater” site, Established Men, permanently offline. A media frenzy ensued, complete with wild speculation regarding the possibility of finding celebrities and politicians among the roster of customers.

ALM refused to shut down the sites, and for over a month no further publication of the data happened. Then, on August 18, 2015, the other shoe dropped. News reports indicate that Impact Team posted almost 10 gigabytes of data on the “dark web” site Onion. The site is only accessible with the Tor browser, an open-source browser that prevents people from learning the user’s location or browsing habits. The data posted reportedly consists of millions of payment transactions, including personal identifying information such as names, addresses, and email addresses. Reportedly, there were 15,000 government email addresses. Some of these email addresses are expected to be fake, as Ashley Madison did not require email verification.

Impact Team issued a statement blaming ALM for the exposure of the user data:

TIME’s UP!

Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.

Find someone you know in here? Keep in mind that site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.[1]

Within hours, the data dump was put up on conventional websites and placed into a searchable database. The number of people whose data is actually compromised is unknown, since users can have more than one profile, false email addresses can exist, and many user profiles for women are not associated with real people but are “fictitious” profiles posted by the site itself. These fictitious profiles are dubbed “Ashley’s Angels,” and the site uses them to, among other things, “encourage more conversation and interaction with users.”

ALM press releases following the news of the hack in July 2015 indicated that it was working with law enforcement and that the site had been secured. In April 2015, before the breach, ALM had announced that it was looking to raise $200 million in an Initial Public Offering (IPO). Press reports now indicate that this IPO is currently on hold as the company deals with the fallout from the breach.

There could be many ramifications to those whose information was exposed. The hackers themselves encourage users to “claim damages.” This breach is unique in that the exposure of a person’s use of a “cheating” website may have significant personal consequences for the customers. For example, what happens if the disclosure leads to a divorce?

A recent Seventh Circuit Court of Appeals opinion that some are saying will make it easier to sustain class actions in data breach cases may have relevance to the ALM and similar situations. In 2013, the U.S. Supreme Court ruled in Clapper v. Amnesty International that, in order to meet constitutional requirements, individuals whose personal data was compromised must be at “imminent risk” of suffering a “concrete injury” to pursue a claim for damages. This ruling allowed many corporate data breach victims to obtain dismissals of class actions brought on behalf of persons whose data had been accessed. However, on July 20, 2015, just five days after the Ashley Madison hack, a Seventh Circuit panel reinstated a class action against retailer Neiman Marcus holding that the theft of a customer’s financial information alone was enough to warrant standing to sue. If the panel decision in Remijas v. Neiman Marcus Group, LLC is upheld, it could open the courthouse gates for class actions on behalf of millions of customers whose data has been accessed by hackers.

The Seventh Circuit based its ruling on the premise that Neiman Marcus customers should not have to wait until their identity is misused in order to sue, since there is an “objectively reasonable likelihood” that such an injury will occur.

Also, under some privacy regulations and guidelines, information about adult activities, including sexual activity, is considered Sensitive Personally Identifiable Information. As such, it could be argued that information like that disclosed from the Ashley Madison site should be subject to increased security safeguards.

In the Ashley Madison situation, many open questions will be asked. Who took the data and how? Did outsiders gain access to the site’s network? Was it a trusted insider? Was it a combination of both? Was there a reasonable level of security in place to protect the data? How long did it take Ashley Madison to detect the hack? How long after the company learned of the hack did it notify users? What actions were taken to prevent the ultimate mass disclosure of user data?

An additional issue unique to this breach is that many users paid Ashley Madison for a “Full Delete” of their user data. The Full Delete service promised to remove the user’s profile, messages, site usage history, and personally identifiable information. Users who paid for this service will be interested in finding out whether that Full Delete service was provided.

Ashley Madison’s website logo famously contains the picture of woman with her fingers held discreetly to her lips (Shhh!)—a nod no doubt to their users’ need and desire for discretion. But the digital age brings new privacy risks, and those people expecting that their digital “dalliances” will remain secret may be in for a major surprise.


[1] Impact Team Statement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s