The irony in maintaining a clandestine affair via the site is that the customer must trust the site to keep all information private. This is AshleyMadison.com's business model: facilitate an affair and reassure the customer that his information and activity is safe from disclosure. The site holds the user's name, address, contact information, credit card information, and any scandalous messages or notes that the user has drafted to fellow philanderers. Up until now, this business model was pretty successful: AshleyMadison.com recently disclosed that it has over 37 million customers.
But last month, a group of hackers, calling themselves the Impact Team, announced that it hacked AshleyMadison.com and acquired the data of all 37 million customers. Impact Team demanded that Avid Life Media ("Avid Life"), owner of AshleyMadison.com, take down the website and other affiliated websites owned by Avid Life (such as EstablishedMen.com, which promises to connect young women with "rich sugar daddies" to "fulfill their lifestyle needs"). Impact Team held the data hostage, demanding that Avid Life Media take down these websites "permanently in all forms." Otherwise, Impact Team promised to release all customer records "including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails." Avid Life Media refused. Last night Impact Team made the data available alongside a message reading "Time's Up!"
Impact Team publicly "dumped" the data, 9.7 gigabytes in size, on the dark web using an address accessible only through a special browser. But despite the relatively difficult methods to access the data, people have already taken to 8chan and similar sites to discuss the contents of the data. Experts readily equipped to access the information are still analyzing the incredibly large dump of compressed data.
So far, we know that the data includes user names, first and last names, hashed passwords for 33 million accounts, partial credit card data, street names, phone numbers, email addresses, and records documenting messages sent between users (the content of which is far too graphic to post on this blog). Also included are PayPal accounts used by Ashley Madison executives, Windows domain credentials for employees, and a large number of proprietary internal documents such as memos, organizational charts, sales tactics, and corporate documentation. If that was not worrisome enough, more than 15,000 of the email addresses belong to US government and military servers using .gov and .mil domains. In a separate blog, Errata Security Chief Executive Rob Graham said the information released included details such as users' height, weight and GPS coordinates. He also reported that men outnumbered women on the service by a ratio of five-to-one.
To be fair, a large percentage of the data likely corresponds to anonymous burner ("fake") accounts and some information may be falsified. In other words, users may have been putting false information into the website to further hide their identity. For example, Michelle Thomson, a newly-elected Westminster MP announced that one of her email addresses was in the dump, but claimed that the address had been stolen and used without her knowledge. But early reports show that much of the information is legitimate.
This is a humbling moment for Avid Life. The company was trusted to safeguard customer information at all costs. The company tried, but failed. But all of us, even companies that do not harbor adulterous information, can learn a lot from Ms. Madison.
Fatal Business Attractions
Avid Life Media has made discretion a key selling point in its business. Indeed, the entire business model was premised on security of personal information. No one wants to admit that they are having an affair (former presidents, generals, governors, senators, prime ministers, and stars of Notting Hill can attest to that). But AshleyMadison.com advertised itself as a way to secretly and efficiently have that affair. It promoted itself as being a safe place for customers worried about their identity being disclosed. Indeed, Avid Life advertised the discretion aspect of the site so much that in 2014, Chief Executive Noel Biderman described the company's servers as "kind of untouchable." Customers were attracted to this business model.
Avid Life is learning today that companies should never brag about their untouchable cyber security protocols; it only encourages hackers to meet the challenge and prove the company wrong. Want to see how fast your company can be hacked? Put out a press release boasting that your cybersecurity is impenetrable and the best in the world. In no time at all, hackers will work around the clock to prove you wrong. Customers do demand strong cybersecurity, but premising your entire business model on the notion that your systems are "untouchable" is flirting with disaster. Instead, companies would do best to instill a culture of privacy within the business, and reassure customers that although breaches might be inevitable, the company takes all precautions it can to protect client data.
Basic Hacker Instincts
Instinctively, many companies dismiss the threat of a hack because they are too small for hackers to care. Indeed, we hear from some companies that "we are not the size of Target, so we cannot be a hacking target." Wrong. Hacker motivations vary. Impact Team's motivation can be attributed to an emerging form of internet activism that some refer to as "hacktivism." Impact Team had a message for Avid Life and wanted action to be taken. Keep in mind that a market exists for this kind of information. The data at issue included credit card and personally identifiable information, which is attractive to your run of the mil hacker, and also data that is special because of how embarrassing and destructive it can be. Disclosure of an affair can ruin a person's personal and professional lives, enticing blackmailers to hang the data over a person's head in exchange for an extortion fee. Attorneys may also find the data useful in representing clients going through acrimonious divorce proceedings. Impact Team did not want money or revenge: it wanted change.
Hackers hack for varying reasons. Some want money. Others want to enact change. And, in the words of Alfred Pennyworth from The Dark Knight, "some men just want to watch the world burn." Hackers have become increasingly indiscriminate in picking victims, and some cybersecurity experts explain that "[i]n all probability, the motivation [for hackers] is that #1 it's fun, and #2 because they can." The consequences can be devastating. A breach resulting from a hack can lead to regulatory investigations, lawsuits, and a loss of business from consumers and clients valuing the privacy of their data. Anyone can be a target, and companies should be aware that the mere act of conducting business in the twenty-first century puts them at risk for a cyber-attack.
Eyes Wide Shut
Some companies, like the proverbial ostrich with his head in the sand, just ignore the cyber dangers due to cost, disbelief, or any other reason. Ashley Madison is going to face a host of legal nightmares in the coming months and years. The company, based in Canada, does business around the world, subjecting itself to privacy laws in the United States and the European Union. Accordingly, security methods and procedures will be investigated and scrutinized by regulators. Angry consumers will seek legal remedies through the courts. Criminal probes, already being conducted by the FBI and Royal Canadian Mounted Police, could also shift to the company's internal activity. Ashley Madison claims that its servers are "kind of untouchable" – that claim is now going to be brought under the microscope and investigated for all to see, putting the company's future success at risk.
Yes, experiencing a breach is inevitable. But the duty is to minimize the damage. To its credit, Ashley Madison passwords appear to have been well protected through high-level encryption procedures. Accordingly, by using such a secure method the website surpassed many other victims of breaches over the years who never bothered to encrypt customer passwords. Yes, hackers are still likely to "crack" many of those encryptions to discover an account holder's original password, but it slows the hackers down and provides investigators and privacy professionals time to enact remedying measures. Such encryption may also assist Ashley Madison in providing evidence of strong security procedures and could help them escape liability in some cases.
This is Where I Leave You
The Ashley Madison hack may provide some entertainment in sleaze news and late night talk shows, but a larger lesson is at play here. We all know that the digital landscape is changing: using my phone, I can schedule appointments with clients, order sushi from a nearby restaurant for delivery, reserve movie tickets for Friday night, purchase a book to read for a lazy Saturday afternoon, and make a date with a stranger I met digitally with the swipe of a finger. Our lives, both professional and personal, have become digitized, catalogued, and accessible to hackers with the time, energy, and motivation to extract that information. Ashley Madison conducted a business premised on the idea that it can help users commit acts that require the utmost discretion and secrecy. The inherent promise was that users can trust Ashley Madison to keep consumer information private. Today, we are all reminded that such promises make for an incredibly risky business model and a very dangerous affair.