"Life is short. Have an affair." This is the slogan of AshleyMadison.com; the latest victim of a data breach. Large caches of data have been stolen and threatened to be posted online by a group calling itself The Impact Team who have completely compromised the company's user databases, financial records and other proprietary information. It is reported that nearly 37 million users have had their data stolen, which could not only be a problem for their financial well-being, but their marital lives as well.
The data released by The Impact Team includes sensitive data stolen from Avid Life Media (ALM), the firm that owns Ashley Madison as well as related hookup sites Cougar Life and Established Men.
In a world where hacking and data breaches are usually done for monetary gain, information theft, espionage, or activism, the hacker's demands in this case are unique. Unlike the hacker behind the AdultFriendFinder breach last May, who did it to blackmail the company for money, The Impact Team apparently has completely different motives. They want ALM to shut down two sites, Ashley Madison and Established Men, permanently for what appears to be moral reasons.
The Impact Team said it decided to compromise the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee. According to the hackers, although the "full delete" feature that Ashley Madison advertises promises "removal of site usage history and personally identifiable information from the site," users' purchase details - including real name and address - aren't completely gone.
While this is certainly unconventional, the threat doesn't appear to be an empty one. Small samples of client data from three of ALM's sites have already been leaked online, along with maps of internal company servers, employee account and salary information, and company bank account data.
It's an open question how strong Ashley Madison's privacy needed to be, but the company seems to have ignored several issues or questions completely. The result was a disaster waiting to happen. There's no obvious technical failure to blame for the breach, but there was a serious data management problem, and it's entirely ALM's fault. Much of the data that is at risk of being leaked should never have been available at all.
While ALM made a bad, painful error by openly retaining that much data, it's not the only company who's making that mistake. We expect modern web companies to collect and retain data on their users, even when they have no reason to. The expectation hits every level, from the way sites are funded to the way they are engineered. It rarely backfires, but when it does, it can be a nightmare for companies and users alike.
This brings to light the similar set of privacy issues that users were exposed when AdultFriendFinder got hacked a couple of months ago, where a data breach doesn't just affect wallets and online accounts but also real world relationships and reputations. Stakes are a little higher this time around as Ashley Madison's users, or at least most of them, are assumed to be married.
According to the official statement from Avid Life Media, the company has secured their sites, closed unauthorized access points, and are currently investigating the incident.
