Implications of the Ashley Madison Hack

Hilary Tuttle


October 1, 2015

ashley madison hack

"Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit and stupidity of ALM and their members. Now everyone gets to see their data...Keep in mind the site is a scam with thousands of fake female profiles. See Ashley Madison fake profile lawsuit; 90% to 95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”

And with that, a month after announcing they had hacked extramarital affair website Ashley Madison, hackers calling themselves the Impact Team made good on their threat to release a deluge of data if the site was not shut down. Three data dumps onto the dark web leaked details of about 39 million user accounts, as well as a trove of internal documents and emails from its parent company, Avid Life Media (ALM). In addition to email addresses, customer details included the last four digits of credit card numbers, real names, billing addresses, IP addresses, listed relationship statuses, and sexual preferences and fantasies, covering transactions dating back up to seven years.

The hackers were not financially motivated, but instead cited the company’s dishonest business practices as chief motivation—while also, in no uncertain terms, expressing contempt for the moral lapses the site condoned and encouraged.

The Impact Team took issue with the “full-delete” option Ashley Madison offered customers, which promised to erase user data from the site for a $19 fee. The company made more than $1.7 million from the service in 2014 alone. But ALM actually retained the users’ data and credit card information on its servers, the hackers claimed, and may have even labeled some accounts in its database as having purchased the service.

Reviews of the leaked data show that the company actually did some things right, Wired reported. For example, while it kept the name, billing address and last four digits, ALM did not store full credit card numbers in its database. And, unlike so many companies breached in recent years, it hashed customer passwords rather than store them in plaintext. The algorithm the company used to do so, bcrypt, was one of the strongest methods available—although researchers have since found that programming errors undermined this process, allowing them to crack many of the passwords. ALM also stored customer email addresses and passwords in separate tables, creating a little more work for the hackers.

ALM was acutely aware of the risks of a data breach, according to security researcher Brian Krebs. Some of the leaked internal documents show that many employees, including CTO Trevor Stokes, cited security and the possibility of a hack as top challenges and risks facing the company.

Within a week of the first data dump, law firms in the United States and Canada had begun soliciting victims to join class actions. About a dozen suits had been filed by mid-September, with two of the earliest claiming almost $600 million in damages.

Legal and Regulatory Consequences

Canada-based Avid Life Media is undoubtedly going to be tied up in costly legal and regulatory fallout for years to come. Under privacy measures such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the United States’ Federal Trade Commission Act, improperly storing, inadequately guarding and exposing customer data are failures that can prompt investigations, fines and federal litigation, all of which are costly and can drag on for years after a breach.

The Office of the Privacy Commissioner of Canada announced in August that it had commenced an investigation concerning ALM in cooperation with other international counterparts. The Federal Trade Commission does not comment on open investigations.

On the civil level, class action litigation is one of the most costly and time-consuming results of a large-scale data breach. Within a week of the first data dump, law firms in the United States and Canada had begun soliciting victims to join class actions. About a dozen suits had been filed by mid-September, with two of the earliest claiming almost $600 million in damages. In addition to claims like emotional distress, lawyers in the cases cite the company’s failure to promptly notify users about the threat and release of personal information.

This litigation may prove one of the most interesting and far-reaching aspects of the case, as previous attempts to lodge class action suits in the wake of a data breach have often stalled over the question of harm to plaintiffs. In the ongoing case against Neiman Marcus, for example, the court initially ruled that the threat of future harm posed by consumers’ personal or payment information simply being exposed was not enough to constitute actionable damage. In July, that decision was reversed and the case reinstated when the Seventh Circuit concluded that the theft of information alone is enough to satisfy requirements for standing. Establishing a case history for breach-related class actions is still far off, and none to date have made it to a jury, although many have settled. But the ruling does have clear implications for more easily establishing standing as a class, and eliminates one major argument deployed by defendants. And in the case of Ashley Madison, the potential harm introduced by both exposing payment data and simply publicly identifying users is even clearer. Resulting suits could get far further than others to date.

CEO Noel Biderman was also known for making repeated, lofty claims about his site’s security over the years, further opening the door for both regulators and customers to claim false advertising. Indeed, the fact that Ashley Madison charged customers $19 for the “full-delete” service yet the data dumps include their information and credit card data from the purchase itself seems to make such claims hard to dispute.

Data released also offered some evidence for longtime allegations that many of the women listed on the site were not real. In January 2012, an official complaint was sent by California Attorney General Kamala Harris alleging the company fraudulently used these fake profiles to get consumers to “pay to play,” and the new data could certainly inspire more efforts to recoup users’ money. According to analysis from Gizmodo’s Annalee Newitz, the exposed internal documents show that the company’s developers created software bots to generate “Angels”—fake women whose details and photos were batch-generated, and then operated by specially created software that sent email and chat messages to users. A user who wanted to read them or respond would have to pay up to $290 for a package of Ashley Madison credits.

“As documents from company e-mails now reveal, 80% of first purchases on Ashley Madison were a result of a man trying to contact a bot, or reading a message from one,” Newitz wrote. Internal emails also showed that employees and Biderman debated how to describe these bots to head off member complaints and possible lawsuits. In mid-September, a class action was filed in Maryland regarding the use of these “fembots,” claiming violation of Maryland’s Consumer Protection Act and unjust enrichment.

Implications may also trickle down to the organizational level. More than 15,000 accounts were registered to email addresses from .gov and .mil domains, which host government and military email, and an untold number are linked to other work accounts, illustrating the importance of boundaries between work and personal accounts. Considerable reputational and legal vulnerability can be introduced by such missteps, as work emails are fair game if internal issues arise, and courts have determined that using work email for personal communication extinguishes any expectation of privacy.

What’s more, while codes of conduct would not necessarily make holding an Ashley Madison account a fireable offense, using company resources certainly could. “It wouldn’t really matter that it’s, it could be a more innocuous website,” labor and employment attorney Anthony Oncidi told Time. “It’s still evidence that you’re using your work email address for something that clearly has nothing to do with the business.”

The most sensitive information was not what was contained in individuals’ records—it was the fact that individuals had records with the company at all.

Shifting Targets

Yes, the exposed data threatens the reputation—and marital status—of millions of users, and yes, the data is being used to publicly shame or blackmail users and their loved ones. The implications for data privacy at large should scare us all. But the concern for both individual citizens and whole corporations is broader still. Titillating content aside, the Ashley Madison hack is merely the most attention-demanding example of a trend in the expansion of what hackers recognize and target as valuable information.

To date, when most companies evaluate what information is valuable and, thus, requires more effort and investment to secure, they think of the three types of regulated data: payment card information (PCI), personal health information (PHI) and personally identifiable information (PII). There is good reason for that, as these are traditional targets for hackers and they come with fairly clear costs in terms of the fines levied per record exposed.

According to the Ponemon 2015 Cost of Data Breach Study, the cost of a healthcare breach in the U.S. averaged $398 per record, a retail breach $165 per record, and a public sector record $68. From risk management and IT departments to the C-suite, these numbers present one of the easiest ways to comprehend cyberrisk. But the idea that these are the biggest exposures a company should worry about is increasingly proving a fallacy.

In the Ashley Madison hack, there were millions of credit card numbers, names and addresses, but the fines likely to come from exposing users’ PCI are a drop in the bucket compared to the likely costs of investigation, litigation, settlements and loss of business. The most sensitive information was not what was contained in individuals’ records—it was the fact that individuals had records with the company at all.

Hackers’ recognition of what is truly valuable has broadened. In a July report, Symantec identified a group of hackers they called Morpho, which has attacked multiple multibillion-dollar companies across an array of industries in pursuit of one thing: intellectual property. The group has been active since at least March 2012, the report said, and their attacks have not only continued to the present day, but have increased in number. “Over time, a picture has emerged of a cybercrime gang systematically targeting large corporations in order to steal confidential data,” Symantec said. It is unclear what they do with the information—they may aim to sell it to competitors or nation-states, for example—but regardless, the potential damage of losing proprietary information, trade secrets or other data fundamental to a company’s reason to exist defies quantification.

In Ashley Madison’s case, that intangibility and resulting miscalculation may sound their death knell, but it could also do the same for any other company that does not recognize the new playing field for cyberattacks. When Motherboard interviewed the Impact Team, the online magazine asked if they planned to target other websites. The hackers replied that they would target “any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians [too].” The threat posed by the Impact Team is not over, and they are far from the only “hacktivist” collective out there.

Hilary Tuttle is managing editor of Risk Management.