The Ashley Madison affair: a fling with fire

24 Aug 2015

The Ashley Madison data breach is a salutary lesson for online businesses that data must be protected at all costs, no matter what you sell.

If you play with the web, prepare to get burnt. An estimated 115,000 Irish people sought out affairs and ended up with more than they bargained for after hackers dumped their details online. So what did we really learn from the Ashley Madison data dump, asks John Kennedy.

In the early days of the internet the New Yorker magazine had a popular cartoon showing two hounds looking into a screen and the caption read one mutt sagely advising the other: “On the internet, no one knows you’re a dog.”

Well, the tables are turned, no one knows if the website they entrust information to is a pup either.

That should be the primary lesson from the entire Ashley Madison fallout.

In the last week, it emerged that up to 36m people’s details, including email addresses, credit card numbers, street addresses and more, were contained in a 10Gb data dump to dark website Tor. This was followed by a 20Gb data dump of internal information about Avid Life Media (ALM) the owner of the Ashley Madison website.

Ashley Madison’s raison d’etre was to allow married people to hook up with people who were interested in having an affair. The odds were stacked against them because with a 6:1 male to female ratio, chances of an affair being conducted were slim.

Worse, if users wished to have their data deleted from Ashley Madison, they could only do so for a fee.

The hackers behind the attack – Impact Team – labelled Ashley Madison a scam as well as stating that their reasons for attacking it were about the morality of enabling extramarital affairs.

At first. ALM’s management tried to deflect the situation by saying the data wasn’t genuine. A big mistake as security researchers were able to reveal that the data matched.

The illusion of the internet as a secret playground

The internet is an illusion in many respects. It gives us a taste of lives we have no business leading and the tantalising nature of some websites can catch people who should have better sense off guard. Politicians, journalists, teachers, priests and more were apparently among the alleged 115,000 Irish people – 10th highest per capita on Ashley Madison, The Irish Times previously reported – whose email addresses were among those contained in the data dump.

Some have already strenuously denied they had signed up for the site, have claimed their email may have been used maliciously and are now seeking legal advice.

Around the world, politicians, leaders of business, media figures, family figures and many others are squirming and loudly denying any involvement with the website.

The fallout ranges so far from embarrassing to downright tragic – a woman found out live on the radio that her husband had an email linked to an Ashley Madison account, while a suicide in San Antonio in the US has been linked in the media to the data dump.

Already scammers are hard at work sifting through the data dump to blackmail web users unfortunate enough to have their email address appear whether they put it there or not. People are using sites like Trustify and Cynic.al to find out quickly if their email address is contained in the data dump.

I would advise you not to enter your email address into any site requiring your address. And especially if it doesn’t have an HTTPS in the address as you may be opening yourself up to the attention of even more scammers.

Data protection, not just morality, is the issue at stake

ALM is a US$100m business that is now in the midst of a PR disaster. But this is nothing compared to the personal fallout as lives are disrupted and reputations ruined. Attempting to charge people US$19 to permanently delete their accounts hardly covers ALM in glory.

The hackers’ motives in exposing this data on the face of it seemed about morality, but again, have they considered the damage they may have left in their wake.

The actions of those who signed up for an illusion were foolish in the extreme. Affairs are a fact of life but now the digital dimension means they can be exposed in a myriad of ways as people leave digital breadcrumbs everywhere from Facebook and Tinder to suspicious spouses using the Find My Phone feature on smartphones to catch philanderers out.

Even though many of those people were unlikely to have found an affair on Ashley Madison, just being there suggests an intent. And that can be hurtful enough for most spouses.

If anything the Ashley Madison affair revealed just how naïve people still are when it comes to the internet. Many of the users’ email addresses in the data dump were work addresses.

This suggests that many of the users also accessed the site from work computers – do companies or government departments not have web filters in place to prevent people accessing porn or dating sites?

Another factor that could trip up those simply denying they used the site is the fact that some of the profiles had GPS coordinates attached to them so even if they set up fake accounts, the GPS coordinates will reveal who is who based on the location of where they live or work. This actually could prove to be a tool for proving innocence among those who claim their email addresses were used without their permission.

Like most affairs or flings, people get burned or hurt, but never in history have so many been burned and humiliated on such a mass scale.

Aside from the morality of the matter, the entire sorry saga is a reminder to anyone who sets up a web business of any kind that data protection is a serious responsibility.

In the coming weeks and months, ALM is likely to be hit with all kinds of legal actions over the data dump and the failure to protect the private data of people who entrusted their information online.

This is a salutary lesson for anyone in business online. Whether the data dump was caused by a disgruntled employee or through a sophisticated spear-phishing attack by a methodical group of hackers, the reality of business online is that it will be a cat and mouse game between business owners and hackers.

Any business that gathers data of users has a moral and legal obligation to protect that data.

On the internet, it doesn’t matter if you are a dog. Just make sure you aren’t being sold a pup as 36m internet users just discovered to their everlasting regret.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Main image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com