Everyone hurts when criminals expose intimate data from an infidelity website.
A month ago a group called Impact Team stole Ashley Madison’s user database and transaction history. Ashley Madison is a website that arranges liaisons for married people.
Last week the group released the data online. It has names, addresses, personal details and sexual preferences of more than 30 million people.
The data isn’t easy to sift. But anyone throwing a lot of resources at the problem will be able to extract information. Journalists and others have already found celebrities, politicians and business leaders. No-one who was a customer will be safe.
The attack will ruin lives, ruin careers. It will see marriages and families torn apart.
New Zealand online civil liberties campaigner Thomas Beagle says some victims may even lose their lives.
On the human level the data breach is horrible and sad. You’d have to be a cold-hearted monster not to feel sympathy for those who learn loved ones are unfaithful.
Less so for the cheaters. Some will think they got what they deserved.
Yet it’s complicated. Not every Ashley Madison customer is a selfish jerk as the story in the link above shows.
There will be those who signed up and never had an affair. Religious fundamentalists may think otherwise. Yet for most people, contemplating infidelity isn’t a big deal.
It is yet another a wake-up call about online security and privacy.
Cheating as a business model
Ashley Madison based its business on convincing married people they can cheat without being caught.
It is a manipulative, unrealistic promise. While Ashley Madison encouraged customers to cheat on spouses, it cheated on customers by not keeping their secret safe.
Ashley Madison advertisements say: “Life is short. Have an affair”. In effect, Ashley Madison promises men available sex partners willing to have secret nooky.
The company emphasises it keep things private. It boasts all kinds of protection so that no-one can find out if you cheat on your spouse.
These worthless promises dragged in the customers: tens of millions signed up.
Impact Team says Ashley Madison is a cynical lie: that there are few willing women waiting for men. It says as many as 95 percent of those signed to the service were male.
Another Impact Team objection is Ashley Madison charged customers to remove names from the database. This amounts to a form of blackmail.
Taking what Impact Team says at face value Ashley Madison is amoral. There doesn’t seem to be much evidence to the contrary. It is a machine for turning human frailty into money.
According to Ashley Madison, none of what it did was illegal.
What was behind the Ashley Madison breach?
It is hard to understand Impact Team’s motivation for releasing private data. On the surface the group suggests moral outrage. That’s not because the site that makes cheating easy, but because, in Impact Team’s words, Ashley Madison is a scam.
Releasing damaging personal data will hurt, even destroy, the Ashley Madison business. At the same time it will do untold damage to the people Impact Team appear to regard as victims.
The damage is asymmetric. Lost money is nothing compared to shattered lives, personal violence and executions.
Who wins from the action? Is it nihilism? It is possible this was a shakedown where the blackmailer didn’t get paid and carried out its threat.
Ashley Madison lessons
Whatever the attcker’s motivation, we may learn more about them later, there are important lessons.
First the Ashley Madison breach shatters the myth of online privacy. It’s not the first case. It won’t be the last. It may not even be the most damaging. But, for now, it is high-profile proof that your secrets are not safe on the internet.
No matter what they say, organisations have an appalling data privacy track record.
Don’t trust online sites with intimate secrets
The internet is no place to keep a secret. It never has been.
Most of the time the slack online security is annoying, but it isn’t a big deal for most consumers. If crooks steal your online credit card details, banks or insurance companies will cover your loss.
Exposed passwords tend to be more of an annoyance than a crisis. Just get a new one. A lot of online snooping is banal, the collectors are after information so they can sell more.
Identity theft is nastier. It can cause a lot of damage. Generally it is a one-off.
As for those impressive looking security logos
Yet Ashley Madison’s case is on a different level. There will be hundreds of thousands of shattered lives and, as we’ve seen, even death.
The lesson is no matter how many impressive looking logos a website boasts, never trust anything online when stakes are high.
For businesses with an online presence the Ashley Madison breach underlines the changing nature of security threats.
Threats are escalating. So is the damage caused. The online underworld now shows a startling sophistication.
Ponemon’s 2014 Global Report on the Cost of Cyber Crime puts the average financial loss from a breach at US$7.6 million.
When a business’ future is on the line
But the direct financial loss is only the start. When the media gets hold of the news about an attack it hurts a company’s reputation. When things are bad, the company’s entire future is at stake. That’s going to be the case at Ashley Madison; it’s hard to see how the business will survive.
The Ponemon report says shareholders and customers lose confidence in a company after a breach. It found 30 percent of companies see reduced market capitalisation after a breach.
As if that isn’t enough, there are regulatory and judicial risks. Governments often impose heavy regulatory fines for privacy breaches. Customers have the right to take action against companies that are careless with their data.
The cynic in me says the Ashley Madison data breach will turn out to be another in a long line of incidents that managers watch and breathe an it-didn’t-happen-to-us sigh of relief. With luck some will sit up and take notice. The smartest will take it as a wake-up call to work on their own security.