A little over a week ago, hackers calling themselves The Impact Team claimed to have accessed all therecords of Ashley Madison’s 37 million subscribers. As I write this, the hackers are holding these files and have threatened to release them unless Ashley Madison's parent company shuts the site down. They published a few files, presumably to show they could make good on their threat, but Ashley Madison has managed to suppress those by using DMCA takedowns.
Ashley Madison is a servicefor adulterers. Its well-known marketing slogan is “Life is Short. Have an affair.®” The comments found on many of the news reports about the Ashley Madison hack show that at least some people – presumably people who have never used the site – are enjoying this. Let’s not let the entertainment value of this hack make us forget its criminality.
While we are waiting to see if the hackers can and will make good on their threat, we are being treated to the spectacle of a company engaged in a public argument with criminals attacking it. The criminals insist that one of their goals is to punish Ashley Madison for what they say is the hypocrisy of its Full Delete feature.
If you’re an Ashley Madison user and you don’t want to be one anymore, you can go to the site and hide your profile, which leaves your data on their servers but makes it unsearchable. This feature carries no charge. If you want to go further and wipe your data from the site completely, you are offered the service of a Full Delete – for $19. According to The Impact Team (admittedly a biased source), Ashley Madison made $1.7 million from the Full Delete service in 2014. In a lot of companies, that would make it a profit center.
The Impact Team says it hacked Ashley Madison to prove the Full Delete service is a scam, and that even though Ashley Madison promises to scrub your data for $19, it keeps the data intact. Ars Technica reported last year that Ashley Madison’s promise of a full delete is actually much more thorough than anything offered on other sites. But The Impact Team says that a Full Delete still leaves your name, address, and credit card number (which are “the most important information the user wants removed”) on Ashley Madison servers.
I am not sure it is possible for Ashley Madison to delete all this customer contact information, since it constitutes a sales record. Don’t you need those for credit disputes, audits, taxation, and so on? If keeping records is part of running a business, it seems to me you can’t just delete sales records. So, in a way, both Ashley Madison and The Impact Team are correct in their assertions. A Full Delete may wipe as much data as can be wiped, but a website can’t be a cash business and still has to keep critical data on the servers.
But what a miserable argument to be having in public. Could your business stand to be having an argument like that with a criminal gang? If not, look again at your security policies, procedures, hardware, systems, and especially people. Consider the Logical Operations ProCert Accredited CyberSec First Responder: Threat Detection and Response (CFR) training and certification program. And remember that almost anything you post to a website can live forever regardless of your (or the website’s) intentions.