Ashley Madison: A wake up call
A month ago a group called Impact Team stole the user database and transaction history from Ashley Madison, a website that arranges liaisons for married people.
Last week the group released the data online. It has names, addresses, personal details and sexual preferences of more than 30 million people.
The data isn’t easy to sift. But anyone throwing a lot of resources at the problem will be able to extract information. Journalists and others have already found the names of celebrities, politicians and business leaders. No-one who was a customer will be safe.
Tragic consequences
Lives will be ruined, careers damaged, marriages and families torn apart.
As New Zealand online civil liberties campaigner Thomas Beagle points out some victims may even lose their lives.
On the human level the data breach is horrible and sad. You’d have to be a cold-hearted monster not to feel sympathy for those who learned their loved ones are unfaithful.
Victims
Less so for the cheaters. Many will think they got what they deserved.
Yet people are complicated. Not every Ashley Madison customer is a selfish jerk as the story in the link above shows.
There will be those who signed up and never had an affair. Fundamentalist religious types might think otherwise, for most people contemplating infidelity isn’t a big deal. Rightly or wrongly anyone who went as far as filling in Ashley Madison’s online form will be judged in a different light.
It is also a wake-up call about online security and privacy.
Cheating as a business model
Ashley Madison’s business is based on convincing married people they can cheat without being caught.
It is manipulative, unrealistic promise. Just as Ashley Madison encouraged customers to cheat on spouses, it was cheating on customers by not taking enough care to keep their secrets safe.
Ashley Madison advertisements say: “Life is short. Have an affair”. In effect, Ashley Madison promises men dozens of available sex partners willing to have secret nooky.
Security promises
The company emphasises it keep things private. It boasts all kinds of protection so that no-one can find out if you cheat on your spouse.
These worthless promises dragged in the customers: tens of millions signed up.
Impact Team says Ashley Madison is a cynical lie: that there are few willing women waiting for men. It says as many as 95 percent of those signed to the service were male.
Blackmail
Another Impact Team objection is that Ashley Madison charged customers a fee to have names removed from the database, amounting to a form of blackmail.
Taking what Impact Team says at face value Ashley Madison is amoral. There doesn’t seem to be much evidence to the contrary. It is a machine for turning human frailty into money.
According to Ashley Madison, none of what it did was illegal. That will now be tested in court.
What was behind the Ashley Madison breach?
Despite the stated objections, it is hard to understand Impact Team’s motivation for releasing private data. On the surface the group suggests moral outrage, not because the site that makes cheating easy, but because, in Impact Team’s words, Ashley Madison is a scam.
Releasing damaging personal data will hurt, maybe destroy, the Ashley Madison business. At the same time it will do untold damage to the people Impact Team appear to regard as victims.
The damage is asymmetric. Lost money is nothing compared to shattered lives, personal violence and executions.
Who wins from the action? Is it just nihilism? It is possible this was a shakedown where the blackmailer didn’t get paid and carried out its threat.
Lessons
Whatever the motivation for the attack, we may learn more about them later, there are important lessons.
First the Ashley Madison breach shatters the myth of online privacy. It’s not the first case. It won’t be the last. It may not even be the most damaging. But, for now, it is high-profile proof that your secrets are not safe on the internet.
No matter what they say, organisations of all kinds have an appalling track record of keeping data private.
Don’t trust online sites with intimate secrets
The internet is no place to keep a secret. It never has been.
Most of the time the slack online security is annoying, but it isn’t a big deal for most consumers. If your credit card details are stolen online and you’ve behaved correctly banks or insurance companies will cover your loss.
Exposed passwords tend to be more of an annoyance than a crisis. Just get a new one. A lot of online snooping is banal, the collectors are just after information so they can sell more.
Identity theft is nastier. It can cause a lot of damage. Generally it is a one-off.
As for those impressive looking security logos
Yet Ashley Madison’s case is on a different level. There will be hundreds of thousands of shattered lives and, as we’ve seen, maybe deaths.
The lesson for users is no matter how many impressive looking logos a website boasts, never trust anything online when the stakes are that high.
For businesses with any kind of online presence the Ashley Madison data breach underlines the changing nature of security threats.
The number of threats is escalating, so is the damage caused and the online underworld now shows a startling sophistication.
Ponemon’s 2014 Global Report on the Cost of Cyber Crime puts the average financial loss from a data breach at US$7.6 million.
When a business’ future is on the line
But the direct financial loss is only the start. When the media gets hold of the news about an attack it hurts a company’s reputation. When things are bad, the company’s entire future is at stake. That’s going to be the case at Ashley Madison; it’s hard to see how the business will survive.
The Ponemon report says shareholders and customers lose confidence in a company that’s been breached. It found 30 percent of companies see a reduction in market capitalisation after a data security breach.
As if that isn’t enough, there are regulatory and judicial risks. Governments often impose heavy regulatory fines for privacy breaches and affected customers have the right to take action against companies that are careless with their data.
The cynic in me says the Ashley Madison data breach will turn out to be just another in a long line of incidents that managers watch and breathe an it-didn’t-happen-to-us sigh of relief. With luck some will sit up and take notice. The smartest will take it as a wake-up call to work on their own security.