Case The Corporate Data Breach of Ashley Madison
DATA BREACHES: THE BASICS
A data breach represents a security incident that occurs when “sensitive, protected or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so.”3 Regardless of whether financial information is the subject of a breach, the breach itself constitutes a significant financial loss as a result of both direct costs, such as those incurred through compensation to victims and investments in increased security, and indirect costs, such as reputational damage. In addition to $140 million in fines and penalties,4 the 2008 breach of credit card information from Heartland Payment Systems was expected to cost the company about $30 each to replace those credit cards, translating to an approximate total of $3 billion for 100 million accounts.5 Data breaches have become an unfortunate reality of the 21st century. As long as an entity such as a corporation obtains and retains personal data, that data remains vulnerable to crime. No organization is immune. Cybercriminals have penetrated all sorts of organizations from the Internal Revenue Service in the United States to email providers like Yahoo!, social media sites like LinkedIn, and brick-and-mortar operations such as TJ Maxx (known in Europe as TK Maxx) and Target.6 Although many data breaches are motivated by a desire for financial gain, some result from other goals such as revenge, competition, or general dissatisfaction with business practices.7 The threat imposed by data breaches continues to rise; 2016 was a record year, with the number of incidents increasing by 40 percent compared with 2015.8 The magnitude of data loss and related costs are also on the rise.
WHO COMMITS DATA BREACHES?
Three primary categories of individuals or groups commit data breaches. The first category includes insiders: company employees, consultants, business partners, and the like. Some insiders are negligent; others are merely opportunistic. The second category encompasses individuals who are external to an organization, operating alone or in groups. What they have in common is that they want something from an organization to which they do not belong. Sometimes they just want to prove that they can crate a data breach; other times, they want something specific. Some individuals or groups are simply thieves, like the criminal(s) who broke into a parked car in 2005 and stole an Ameriprise laptop computer with personal information stored on it for 158,000 Ameriprise clients and 68,000 advisers.9 Others are cybercriminals—individuals who use the Internet as hackers or in other malicious ways to commit crimes through fraudulent activities such as identity theft, spamming, or phishing.10 Some cybercriminals act together by forming cyber gangs. A third category of data breach activity involves state actors. These groups and individuals are also external to the organization, but they operate on behalf of governments. Their behavior is commonly referred to as “cyber-espionage,” the practice of eliciting confidential information on behalf of governmental organizations. Corporate data breaches of companies such as US Steel, Anthem, and Medtronic, among others, have been attributed to cyber-espionage.
WHAT DO DATA THIEVES STEAL?
Data breaches can involve almost any sort of information. Although many breaches involve unauthorized access to personally identifiable customer information, other intrusions have sought out information about employees or the companies themselves (i.e., financial information, trade secrets, or intellectual property). In 2007, for example, a data breach at Gap Inc. involved the theft of two laptop computers that contained the personal information of job candidates.12 Transactional information is at risk because it can include financial details as well as personal information such as telephone numbers, addresses, and log-in information. The theft of information from one organization can lead to broader vulnerability because individuals often adopt the same or similar user names and passwords across multiple accounts. This concern was raised when LinkedIn was hacked in 2012, and the user names, email addresses, and passwords for 117 million accounts were obtained.13 This attack constituted a “mega breach,” a massive data breach that stands out simply because of the enormous quantity of data stolen.
Personal information about employees and job candidates can also be at risk. In April 2017, a data breach at McDonald’s Canada involved the theft of personal information of 95,000 job candidates, including addresses, telephone numbers, employment histories, and other personal information, such as the fact that they had applied for a position at McDonald’s.15 Revealing the existence of a job application can be sensitive in that job candidates often fear jeopardizing their current employment status by having others, particularly current employers, find out that they are looking for a new position. Information about a corporation itself can also attract thieves. In December 2009, for example, Google discovered that corporate intellectual property had been stolen through a highly sophisticated and targeted attack. This attack played a significant role in Google’s subsequent decision to pull out of China in 2010.16 Cybercrimes pose a particular threat to companies involved in e-commerce, both because of increasing e-commerce activity in the global economy and because of the inherent vulnerability of operations that take place almost entirely in the cloud. E-commerce in 2016 drove nearly $2 trillion in global sales, with double-digit growth anticipated through 2020, when sales are expected to exceed $4 trillion.17 In the United States alone, 2016 Internet sales totaled nearly $400 billion, which represented a 15.6 percent increase over 2015.18 At the same time, the cost of a data breach has increased 29 percent since 2013, with the average cost of a single attack in 2017 estimated at $4 million
Social media represent a formidable force within e-commerce. Social media encompass Internet-based platforms that facilitate the cration and sharing of information through virtual connections among individuals. Some are considered tools for e-commerce, and others are viewed as an integral part of e-commerce. Facebook, for example, though technically offered to users at no charge, remains a tool for both advertisers and product sales. Facebook offers users the opportunity to set up Facebook “stores,” which are pages dedicated to business sales. With 1.71 billion active users and potential customers, Facebook represents an attractive platform for e-commerce and therefore a tempting target for thieves.20 The numbers of data breaches are staggering. According to the Identity Theft Resource Center, a nonprofit established to support victims of identity theft and increase public education and awareness of cybercrimes, approximately 1,000 data breaches were reported in 2016 alone, with nearly half targeting business-related data.21 Referring to the common saying that the only certainties in life are death and taxes, Adam Levin, chairman and founder of CyberScout, said, “The database compromises of 2016 confirmed yet again that breaches are the third certainty in life, and we are all living in a constant state of cyber insecurity. Hackers and identity thieves continue to evolve. They are very sophisticated, extremely creative and dogged in their pursuit of what is ours.
CAN DATA BREACHES BE PREVENTED?
Data thieves prey on a variety of vulnerabilities. Not all data breaches are avoidable, but many are. In the breach suffered by TJ Maxx in 2007, the company was relying on inferior wireless encryption protocols used to transmit data among price-checking devices.23 The 2014 megabreach that affected eBay was similarly avoidable in that it occurred because hackers were able to gain unauthorized access to employee credentials through successful phishing attempts.24 Phishing occurs when people are tricked into clicking on malicious links. The users believe they are entering credentials into legitimate websites when, in reality, they are allowing those credentials to be stolen and used to infiltrate those sites. Employee training and extra layers of internal network security could likely have thwarted the phishing attempts at eBay. Another possibility of avoiding data breaches lies in deterrence, meaning hackers and cyberattackers do not want to end up in jail. While it is difficult to catch them, if they are caught, the penalties are among the stiffest available. However, one of the problems with deterrence is that cyberattackers often rely on the cloak of anonymity, making it harder to identify where the attacks are coming from.25 In addition, the international, multi-jurisdictional nature of the Internet crates additional challenges.26 Although deterrence seems like a practical solution, most cyberattackers do not consider the consequences of getting caught. According to Mark Rasch, now Verizon’s chief security evangelist, formerly the official at the U.S. Department of Justice who creted its computer crime unit, “The truth is, hackers—like most criminals—do not consider the consequences of getting caught; they do not think they’re going to get caught, arrested or prosecuted.”27
The takeaways should not be that deterrence is not possible, but that a better answer than fear of prison lies in stepping up cybersecurity. Although often expensive and complicated, there are options. For example, network monitors are available to look out for and block harmful packets, as an air defense system might “shoot down” hostile aircrafts. This is one example of the options that are available to prevent cyberattacks, even though they do not necessarily identify the attackers. Overall, in the case of data breaches, it is most beneficial to take proactive, preventative measures.
ONLINE DATING: THE RISE OF ASHLEY MADISON
Just as people go online to find news and information and to conduct business, they are increasingly going online to initiate and develop personal relationships, even when their targets are physically close by. In 2016, an impressive 70 percent of the $2.5 billion dating services market was devoted to online platforms.28 Before the Internet, dating and matchmaking services were nothing unusual; the traditional business model included classified ads in newspapers and magazines, postal mail, and personal consultations. The first identified computer matchmaking service originated in 1959, when Stanford students Jim Harvey and Phil Fialer crated the “Happy Families Planning Service” as a class project. Using a punch-card questionnaire and an IBM 650 mainframe computer, the two students successfully matched 49 couples.29 In the mid-1990s, with the advent of the World Wide Web (simply referred to today as the Internet), companies began registering domain names for dating websites. In 1995, before the official existence of a single dating website, the phrase online dating was already being searched more than 135,000 times a month
Enter Match.com, launched on April 21, 1995, when Internet users were still being connected through dial-up providers such as AOL.31 At the time, only five percent of Americans had Internet access.32 Founder Gary Kreman, nevertheless, recognized untapped potential. Today, according to the Pew Research Center, at least 15 percent of Americans admit to having used online dating sites or mobile dating applications (aka “apps”).33 As the online dating industry grew, niches quickly developed. Started in 1997, JDate was the second online service to emerge, and it targeted a religious niche catering to single Jewish men and women.34 Membership was not limited to Jews, however; eventually, the site enabled members to identify themselves as “willing to convert,” “not sure if willing to convert,” or “not willing to convert.”35 Five years later, in 2002, Ashley Madison was launched.36 The brainchild of Toronto entrepreneur Darren Morgenstern, this company also focused on a niche—not based on religion or occupation or sexual orientation, but on relationship status: “in one.”37 Ashley Madison openly aimed to connect people who were already married or in long-term relationships. In fact, Ashley Madison began with the come-on, “When Monogamy Becomes . . .”
Ashley Madison was almost immediately popular and profitable, with the company boasting $3.5 million in revenue within 2 years of its entry into the market.38 And the company found a new slogan: “Life is short. Have an affair.” Its popularity sparked almost immediate controversy, being called—among other uncomplimentary terms—an “online adultery agency.”39 Critics scorned profits earned through the promotion of infidelity and attacked the company as “a business built on the back of broken hearts, ruined marriages and damaged families.”40 Ashley Madison received additional resistance when the company tried to advertise in the 2009 Super Bowl program booklet. The NFL initially agreed, but then declined the company’s ad and said that the earlier agreement had been a “mistake.”41 CEO Noel Biderman later commented, “I find the rejection to be ridiculous given that a huge percentage of the NFL’s marketing content is for products like alcohol, which they sell in their stadiums, promote on their air and clearly have in the magazine.” He continued, “That’s a product that literally kills tens of thousands of people each year. So if the NFL is worried about legislating behavior and regulating what their audience should be exposed to then it should start with a ban on all alcohol advertising and products being sold, not AshleyMadison.com.”42 NBC, the network on which the Super Bowl was airing, also declined the ad.
The last hurrah went to Ashley Madison, though, when their Super Bowl television ad did end up airing, just not countrywide. Biderman approached local affiliate stations and found a number willing to accept his company’s advertising dollars, even though NBC would not. The stations that aired the ad were in Texas where, according to Biderman, “men love their football and women love to cheat!”44 The Super Bowl advertising controversy continued through 2011 when Ashley Madison was yet again rejected as an advertiser, this time by Fox. In the rejection, Fox stated simply that its Standards and Practices division “has deemed the Ashley Madison spot is not acceptable to air.”45 That was the last documented attempt by Ashley Madison to air an ad during the Super Bowl.
CULMINATION OF CONTROVERSY: ASHLEY MADISON IS “THUNDERSTRUCK”
In 2015, the ongoing controversy over a profitable enterprise preying on infidelity culminated in a data breach. Unlike many other data breaches, the purpose of this one was not the pursuit of financial gain by the perpetrators. It was, quite simply, to put the target out of business. At the time of the breach, the personal information of about 39 million Ashley Madison users was at stake.46 Of particular concern to the hackers was Ashley Madison’s careless, deceptive treatment of users’ personal information.47 According to the hackers, the company’s policy of providing a “full delete” of a user’s profile for $19 was a “complete lie.” “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” the hackers asserted.48 In 2014 alone, Ashley Madison netted about $1.7 million in revenue for its “lie.”
On July 12, 2015, when employees of Avid Life Media (the parent company of Ashley Madison) logged on to their computers, they were greeted by a message from hackers threatening to release confidential company and customer information unless Ashley Madison and Established Men (another Avid Life Media company) were shut down. The AC/DC song “Thunderstruck” played in the background.50 A socially motivated group that called itself the “Impact Team” was behind the threat.51 The group claimed to have stolen sensitive data and personal user information for 37 million Ashley Madison customers, including past customers who had requested that their information be deleted. A week later, after neither Ashley Madison nor Avid Life Media had responded, Impact Team escalated by publicizing its threat. The Team posted it on Pastebin, a popular website used to store and share text, and included a 30-day time limit for compliance. This time Avid Life Media responded. The company acknowledged the threat and announced a joint investigation being conducted by the company, law enforcement, and cybersecurity service provider Cycura.
On July 22, Impact Team released the personal information of two users. Then, on August 18, after the 30 days had passed and Ashley Madison and brother company Established Men were still operating, Impact Team posted the first major Ashley Madison user data dump on Pastebin in a post titled “TIME’S UP.” At this point, the data breach became, by definition, a data leak. Analysis of the 10 GB of data immediately revealed a number of government, military, and corporate email addresses that had been used to sign up for Ashley Madison accounts.53 A second major dump of Ashley Madison data took place on August 20. Unlike the first dump, which had primarily included personal information of users, this dump contained nearly 20 GB of corporate information, including CEO emil messages and Ashley Madison website source code. Now the leak was becoming a torrent. This dump was followed on August 23 by a third dump that included a full list of government email addresses used for accounts (sorted by department) as well as lists of Ashley Madison users’ names accompanied by email addresses, mailing addresses, IP addresses, sign-up dates, and total amounts spent on Ashley Madison services. Additional data dumps followed, including state-by-state leaks.
WHAT HAPPENED NEXT
On August 25, 2015, two Canadian law firms, Charney Lawyers and Sutts, Strosberg LLP, filed a $578 million class action suit on behalf of Canadians whose personal information had been jeopardized through the hack. Toronto-based Avid Dating Life and Avid Life Media, parent entities of Ashley Madison, were named in the suit.54 The suit was brought by Eliot Shore, a former Ashley Madison user who claims that he signed up briefly after his wife died of cancer. He contends that he never met up with anyone and that he never cheated on his wife.55 At least four additional suits have been filed in the United States. Filed on behalf of anonymous (“John Doe”) plaintiffs, they all allege breach of contract and violation of privacy laws, as well as claiming that Ashley Madison and its parent entities were negligent in protecting customer data.56 At least one lawsuit also alleges that a plaintiff paid the $19 fee to have his data deleted completely from company servers; the company clearly did not deliver on that service.57 The effects of the data leak on some stakeholders were far more serious than a loss of several dollars or a minor embarrassment. The data leak was linked to at least two suicides in Canada and multiple blackmail attempts.58 There is no doubt that the release of the personal information changed lives. People who suspected loved ones (spouse, parents, friends, and so on) of having affairs checked the information, and some had their suspicions confirmed. What happened next varied. Some couples ended up separating or divorcing; others ended up in marriage counseling.
Small communities in the southern United States arguably felt the worst post-hack outcomes when the names of locals who had used the site were published on community websites and blogs. A mayor in Alabama was forced to resign, even though he denied ever having used the website. He might have been telling the truth because the names of many public officials—even then-U.S. President Barack Obama—were included among the released list of users although they did not use the service. Phony names were present because Ashley Madison had never verified names or email addresses.60 In the wake of the scandal, Biderman, who had taken office in 2007, stepped down as CEO and left the company.61 Ashley Madison said the resignation was “in the best interests of the company.”62 Far from shutting down the business, however, the scandal had an unexpected effect on Ashley Madison’s business. User subscriptions actually increased, presumably because the widespread publicity made more people aware of the site. Between August and December 2015, the number of Ashley Madison customers climbed an additional 8 percent to a whopping 43.5 million.63 Even though the company did not appear to suffer a significant loss in customers as a result of the scandal, Ashley Madison nevertheless decided in 2016 to rebrand. The company kept its name, but abandoned its former slogan. Ashley Madison’s slogan today is “Find your moment.”
Critical Thinking Questions (with detail)
1. Was Ashley Madison responsible for the data leak? What actions or lack of actions contributed to Ashley Madison being responsible or not being responsible?
2. What are the rights of customers who engage in e-commerce? What is a company’s responsibility regarding the personal information of customers and other stakeholders?
3. What lessons should Ashley Madison learn?
4. What lessons can other companies learn from the experience of Ashley Madison with the data leak?
5. Is it appropriate or ethical for a company such as Ashley Madison to profit by embracing a mission that promotes infidelity among people in marriages or committed relationships?
6. What effects could the leak have on individuals who were using the site in their personal and professional lives?
