Breach announcements / Cybersecurity

The hack that maybe wasn’t: Ashley Madison

In the world of on-line romance and breach notifications, the Ashley Madison hack is unique.

Usually, on-line romance crimes involve fraud.  Law enforcement officials report that on-line romance fraud is under-reported because the victims are too embarrassed to admit they were duped.  They do not want to go through the humiliation of having a detective say “You thought someone with looks like that really wanted to get with someone like you”?  Better to just chalk the financial loss up to a life lesson and to be grateful all that got hurt was your bank account and your pride.

But the Ashley Madison hack is completely different.  Victims want privacy, but not for the same reasons.  They may or may not be embarrassed and humiliated, but they are also, one imagines, trying to avoid a significant confrontation with their spouse. In fact, the site has done what it can to offer its clients a service they did not necessarily pay for: plausible deniability.

Consider this statement in their August 18th press release: “the individual or individuals responsible for this attack claim to have released more of the stolen data” and “We are actively monitoring and investigating this situation to determine the validity of any information posted online…” (emphasis mine).  Ashley Madison has been consistent in not confirming necessarily that any particular record is authentic.  Users are given the opportunity to claim that their information was put there by someone with malicious intent and not by them.  And this is one population of users that might not be willing to form a very large class action suit to go after the source of the breach.

There are already a number of class action suits being brought against the Federal OPM for breaching government personnel data, one is even being brought by a Federal judge.  By all indications, there are Federal government employees listed in the Ashley Madison data.   Want to bet none of them step up to sue? (UPDATED NOTE: I was wrong about this. Suits have been brought against the firm in a way that keeps the plaintiffs anonymous.)

(It will be interesting to see if any victims try to get the Ashley Madison cybersliability policy, if they have one, to cover alimony.)

The press release begins with the predictable statement that they are working with law enforcement and also, predictably, mentions that there are many hacks announced and this one is not unique.  It is missing a statement that they are working to strengthen their cyber security controls and does not provide any information as to the number of records that it can confirm have gone missing. It  also goes down an interesting path.

There is no apology for the inconvenience that the exploiting of their vulnerabilities has caused.  Instead, there is a statement of shared “outrage” that your privacy has been invaded.    The victims of the hack are described as “innocent citizens who are simply going about their daily lives.”  The announcement is clear that the moral judgement against adultery that seems to have motivated the hackers to post the information is not acceptable to the site: “We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

I am not writing this to argue for or against adultery.  Just to point out that this is the first breach announcement I’ve seen that is intended not just to provide the facts involved and describe the firm’s response to the incident but to seemingly help the victims explain themselves

One thought on “The hack that maybe wasn’t: Ashley Madison

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.