No anonymity when you screw around online – notes from the Ashley Madison fallout

Adulterous subscribers and suspicious partners worldwide waited with baited breath for the fallout after data hackers the “Impact Team’ mass dumped the personal data records of 32 million users from the Ashley Madison database on 15th July 2015.  “It’s full account information,” said Robert Graham, CEO of Errata Security, in a blog post. “That includes full names, emails, phone numbers, addresses and passwords”.  Additionally credit card information and dating information about height, weight, personal information and GPS co-ordinates are included.  Whatever fake accounts some people may have created, there’s so much information leaked that dissecting it and cross referencing it will enable the identities to be verified.

With a further 14 Gigabytes of data with matching encryptions keys dumped yesterday, it is little surprise that the first divorce proceedings about suspected infidelities have started to be listed in the English law courts.  Inevitably the primary beneficiaries of all of this will be the divorce lawyers.  As one quipped today, “September will be like Christmas this year”.  Nice.

The list of global offenders some of whom may have signed up with false names or email addresses is reported to include: business leaders, public figures, government employees, senior politicians, members of the military, police officers and diplomats.  In the US, more than 15,000 of the email addresses are allegedly hosted on US government or military servers using the “.gov” and “.mil” top-level domains, with ties to agencies including the State Department, Department of Homeland Security, as well as the House and Senate.  There is real risk for damaged reputations and of course the prospect of future blackmail threats awaiting some – but for those naughty enough to use the website, it may be years before they are targeted by criminals.

A trigger for the hackers was apparently the flaws in their data protection policy, with leavers being charged a £12 fee to have their details removed permanently.  However, this was not the case, despite assurances from CEO Neil Biderman, as after initial threats from the Impact Team, there were multiple reports of people who had paid this charge whose details still appeared in the exposed data.

Ashley Madison factoids:
• The online dating agency for married people has been running since 2001.
• Subscribers number 37 million members worldwide across 46 countries.
• The organisation states that there are 1.2 million subscribers in the UK alone (representing 2% of the population).
• Ashley Madison’s revenue for 2014 was reported at £77m.
• They are stated to be worth £670 million.

The source code of Ashley Madison is held by its parent company Avid Life, which now faces threat through its other websites and business interests.  The Sword of Damocles now hangs over smug CEO Noel Biderman’s business.  It is highly unlikely it can survive a) the hit to its reputation as a safe place to flirt and b) the cost of lawsuits which are expected to hit its doormat in coming months?

From a legal perspective a breach of privacy may have occurred if personal information has been discovered and published, which could open Ashley Madison to lawsuits.   Mark Watts Head of Data Protection at London law firm Bristows, noted that if a company had a presence in the UK (eg. office or a server) it would be subject to the UK’s Data Protection Act and UK residents would have the right to have their data deleted for free. “You cannot charge for it”, he said.  Our quick check at Companies House shows one Ashley Madison Limited, private limited company, still reportedly active in status terms today, whose nature of business is “other information technology service activities”. They have a registered office in Milton Keynes.

As Luke Scanlon, technology lawyer at Pinsent Masons commented:  “The interesting thing about this incident is that recent court decisions in the UK have been leaning towards the view that a claim can be brought when no financial loss occurs but where a person experiences distress as a result of a data breach.

“In the case of Ashley Madison… if each were to try to claim for £1000 in compensation Ashley Madison could see itself incurring costs of up to £1.2 billion. Even if claims for distress in this case are modest, the sheer volume of data breached and individuals affected in this attack could have a critical impact on the company”.  A remedy for breach of contract he advises would be complicated, costly, and risk further exposure.  However, this sounds like a Class Act to us.

Unreasonable behaviour certainly from Ashley Madison, a salutary reminder to businesses and organisations that never has it been more important to ensure that they have up to date data security measures in place, accompanied by robust governance policies to ensure best possible defence against cyber threats.
AshleyMadison

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s