Cybersecurity is more than a technical operation. It is a human undertaking, and its failures lead to human cost. Few events illustrate this better than the Ashley Madison hack, which I blogged about almost exactly one year ago. Ashley Madison, you may remember, is the dating site that facilitated illicit connections for married people. Its notorious slogan was “Life is short. Have an affair.” It is a sign of the changes wrought by the hack that Ashley Madison no longer uses that slogan.
The Ashley Madison hack was unlike any other major hack. Carried out by an entity calling itself the Impact Team, it was done without apparent financial gain in mind. The Impact Team’s most coherent justification for the attack was to punish Ashley Madison for its duplicitous Full Delete service, which charged users $19 to completely eliminate their account records but then retained all their credit card information. The Impact Team also engaged in a little bit of moralizing about marital fidelity, which would have been difficult to resist, given the arrogance with which Ashley Madison sometimes marketed and promoted itself. The Impact Team itself seems to have been formed for the single purpose of performing the hack, since it hasn’t been heard from publicly since it released the trove of customer records. And there have been no arrests.
After a year, we have some perspective on the results of the hack. Over the course of the year, Ashley Madison’s parent company, ALM, lost over a quarter of its revenue as customers fled its sites. The actual costs must have been substantial, because Ashley Madison has offered $500,000 (Canadian) for information leading to the arrest of the hackers. On top of lost business, the company is struggling with a $576 million class-action lawsuit on behalf of users who suffered damages from the breach.
In addition, the FTC is investigating Ashley Madison, not because it didn’t properly secure customer information, but because the records the hackers released yielded evidence of duplicitous business practices. It seems a large proportion of the site’s female “membership” consisted of automated chatbots intended to entice men (who were the only members required to pay) to stay on the site.
Now the executive team at Ashley Madison has changed and the new leaders are undertaking to change the company’s business model as well as “rebrand” it. Their plan is to change their emphasis from infidelity to discretion. They are also undergoing a process to achieve compliance with credit card payment standards.
But the greatest costs may have been human costs. Relationships were damaged, reputations shredded, jobs lost. Many of the people exposed have been subject to blackmail and extortion attempts. Some communities were seized with ugly outbreaks of moral crusading, with member names published in the newspapers or read out over the radio. A small number of people who were called out by the hackers’ data dump have committed suicide.
We’ve always known that the costs of a data breach include lost business, remediation, and often restitution. But the Ashley Madison case shows those may just be the beginning. Whether or not Ashley Madison caused the ugliness and the devastation, it is certainly responsible for it. If you don’t want such a responsibility, my advice is to put in place security policies, procedures, and people that can protect you from attacks. But don’t assume they will. Make sure your customers won’t be vilified and that your business practices can stand the light of day, just in case an attack succeeds.