The Ashley Madison web site, where people go to cheat on their spouses, was hacked last week. This is an interesting situation for a number of reasons.
First, a little background. The Ashley Madison web site is owned by Avid Life Media (ALM), which also runs several other web sites – Cougar Life and Established Men.
The attackers, which the company says they think were insiders or ex-insiders, claims to have taken the entire customer database – names, addresses, credit card information, sexual preferences, financial information , company emails, etc.
They seem to be particularly peeved at the fact that the company charged $19 for a service which supposedly deleted your transgressions on the site, but in fact did not do that. Here is a little piece of the hackers manifesto (click to enlarge):
So why is this hack interesting?
First, the hackers say that if the company does not shut down the site completely and forever, they are going to dump the data on 37 million customers. Are you going to shut down a multi-million dollar business just because hackers ask you to? Probably not.
You have to assume that some of the people who are cheating on their spouses are high profile people – maybe government, maybe business. What do they do now? Unfortunately for them, there is not much that they can do. Hopefully they used prepaid credit cards and fake names. I suspect most did not.
At this point, the hackers have only released a very small piece of the data they claim to have. Ashley Madison, for their part, has been using the DMCA to ask sites to take down their stuff and that has been moderately effective.
Ashley Madison says they are closing in on the hackers. Whether this is true or smoke we don’t know. We also don’t know if catching them will stop – or trigger – a release of the full dataset. For example, if the hackers had help, they could say to their buddies that they will send them an email every day and if they don’t get it, release the data as widely as possible. If they were to release the data using offshore web sites, the DMCA take down notices have no meaning or effect since that is a U.S. law.
So what are the lessons here?
1. No site is bullet proof. Bullet resistant maybe, but not bullet proof. The only bullet proof one is the one that is turned off.
2. If you are a user of a web site and the site promises you anonymity, consider that promise carefully. What is the consequence to you (and in the case of Ashley Madison, to your family) if they don’t keep that promise? What can you do to mitigate that breached promise? What is the consequence to the site if they break their promise to you? You can use this thinking on any web site – from Amazon to Ashley Madison. Maybe you don’t really care if it is breached. So what if someone knows that I bought jeans in a size XXL? It is useful, however, to have the conversation with yourself before you sign up.
3. Lastly, as a web site owner, what is your business plan if this happens. My guess is that no one is signing up for Ashley Madison right now – or probably for the (at least) near future. What does that do to your cash flow. On top of it, people are likely cancelling their memberships so your recurring revenue numbers just went in the toilet. How do you stop the rats from abandoning the sinking ship? I have a suspicion that their financial plan for this year just got thrown in the trash.
Most company’s business model is not as controversial as Ashley Madison’s is, but no company has zero enemies. Planning for the worst and working for the best is not always a bad idea.