Selling Lust – Business is Short if You Don’t Protect Your Data
Selling Lust: So you build a business around facilitating cheating and then get hacked; what’s next? While there are certainly tons of moral aspects and positions I want to consider the technical and legal aspects.
First, I suspect we can agree the businesses of Avid Life Media owner of the “cheater facilitation” site Ashley Madison and “sugar daddy” site Established Men and “elderly lady young man” site Cougar Life are legal online businesses. This isn’t a drug cartel, how to make a bomb at home, or off-shore gambling website skirting mainland laws; These are sites that facilitate perhaps dark but essentially legal needs.
The next line I have said and written at least 100 times here it goes again…
When (not if) your company is hacked say, publish, and post NOTHING about the attack or losses. Sure your clients want to know, the media want’s to know and the attacker wants to know what you know and what’s next. When you say anything other than “All cyber attacks are reported and investigated” you open the door to additional attacks and retribution. ALM seemed to suggest the hack was false and the data dumps phony or at least questionable. Some distributions probably were filled with maleware… but it looks like some are the real deal.
The result of suggesting the dump was fake was a second dump that “appears to contain all of the CEO’s business/corporate e-mails, source code for all of their websites, mobile applications, and more,” With a note to the ALM CEO Noel Biderman “Hey Noel, you can admit it’s real now”
My advice to Noel – SAY NOTHING MORE about the attack – not one word.
So let’s talk about the legal aspects…
(Note: I’m not lawyer – so your results may vary)
A legal US company’s computers were hacked and customer data stolen…that’s clearly a cyber crime.
The data stolen and released contains approximately 36 million members from 46 countries: Hence this is a large multi-national cyber hack event.
While adultery is “legal” in the U.S. for consenting adults (I’m still checking with my wife for clarification on that point), that’s not true globally. There are some interesting aspects in this area… In example 1,200 people on the leaked list had emails based in Saudi Arabia, where adulterers face the death penalty. We’re not talking mad spouse or divorce; we’re talking stoning someone to death.
While it’s unclear what the data actually is, it doesn’t seem to contain complete credit card info – some includes last four digits. However, it does seem to contain PII (Personal Identifiable Information) such as email/physical addresses and user sexual affinities, perhaps more. The data contained is scary and includes things like credit card transaction details and frequency as well as hashed passwords – not open passwords but still concerning…http://www.theverge.com/2015/8/19/9179037/ashley-madison-data-hack-name-address-phone-birthday
Ok, it seems the attackers were fighting on moral and ethical grounds – specifically, there are claims that Ashley Madison was providing fake users (primarily males masquerading as females) to better the male to female ratio. Another claim is that the company, who collected $19.95 to purge user data, was not purging data…
The attackers called The Impact Team suggest these actions are NOT an attack, not theft, but actually “hactivism”. Companies that allegedly defraud are targeted for exposure. The Impact Team’s demand was for the sites to shut down and if not the data would be released. There was no demand for money or financial ransom. As the claimed motivation and actions appear to be non-financial one could consider this hackivism. “We have explained the fraud, deceit, and stupidity of A.L.M. and their members,” Impact Team wrote, referring to Avid Life Media. “Now everyone gets to see their data.”
That doesn’t make the theft of data ok but it does challenge our current laws…
If a whistle-blower takes and exposes a CEO’s email proving fraud is it data theft, civic duty, or both?
If a US company facilitates a crime in another country is that enough for civil action?
Right now it appears that REAL data is out in the wild from this attack…
Here’s the best write up on the content I found:
http://blog.includesecurity.com/2015/08/forensic-analysis-of-the-AshleyMadison-Hack.html
Quick scans provide scary results:
Other companies are not immune either; want to see the rank of financial institution emails…
http://advisorhubinc.com/merrill-lynch-leads-ashley-madison-hack-stats-others-included/
Where are the users – check this heat map out (pun intended)
Can you download the data and look at it? First you should know it’s hard. The data is large, complex, and formatted to simply query and browse. It’s also risky – If I wanted to spread a virus right now a good way would be via a fake, downloadable list claiming to be the actual Ashley Madison list leaked. Is looking at this list morally wrong? Are you doing nothing wrong by looking through the real list of leaked data? At first glance the answer should be no. Just because a bank robber throws his loot out the window during the chase doesn’t make the cash ok to pickup and keep. However is the reality is that’s what’s happening now.
The media is whole-hog reviewing data – each event is likely a crime. If you are downloading and reviewing stolen data, and you ARE NOT law enforcement tasked to do so, you are currently violating US laws and personal privacy rights.
On second glance, if you are a current or past member that want’s to see if your information was released it’s seems reasonable to want to check. Let’s follow that analogy a bit… I was never a member of Ashley Madison (yes, I know some) but I am a member of this bigger group called “Home Depot customers”. They had equally challenging data theft but I can’t see using that theft to justify me downloading and reviewing that stolen data. I DO want to know that my Home Depot data is safe or compromised.
I’m sure there are lots of folks in the millions of users that want to know if their data is in the released data… That has spawned several sites that are suggesting they have indexed the data and will compare your email to that list – THINK ABOUT this: they are asking you to enter your email address to see if you are listed… Some will be members worried about exposure others will be spouses checking up on potential cheaters – this will create even more targets to hack and release… that list of potentially exposed emails is almost as valuable as the Ashley Madison data…
We are already seeing celebrities confirm memberships to quickly end speculations and gambling on who will be exposed.
The business side of things:
I won’t call these dating sites – more like hook-up sites. They are for-profit and run and grow on users. For heterosexual relationships – we all pretty much know there are more men looking than women. The declared and real ratios vary but Ashley Madison complicates this ratio disparity. Unlike a dating site that offers a service for a fee and period of time, this is more like a pay per view mechanism. You have a public profile and when you find a likely match after viewing their public profile you “wink” and if there’s an interest you get a wink back – BUT someone has to pay for the “wink”. It’s a pretty good bet the “winks” are bought by the men on the site and so there’s a clear need for gals on the site and willingness to wink back – that’s how money is made. There are some pretty tough lawsuits alleging hired females making multiple false profiles…
Seems Ashley Madison is pretty law-suit proof – the boiler plate on the site basically says are NOT real and for amusement…
“Our Site and our Service gives users the opportunity to explore their fantasies and to interact with others in on the Site. However, there is no guarantee you will find a date or partner on our Site or using our Service. Our Site and our Service also is geared to provide you with amusement and entertainment. You agree that some of the features of our Site and our Service are intended to provide entertainment.
You acknowledge and agree that some of the profiles posted on the Site are associated with our “Ashley’s AngelsTM” and may be fictitious. The purpose of our Ashley’s AngelsTM is to provide entertainment, to allow you to explore our Services and to promote greater participation in our Services. Ashley’s AngelsTM attempt to simulate communications with real members to encourage more conversation and interaction with users.
We also use Ashley’s AngelsTM to monitor user communications and use of our Service to measure compliance with the Terms. Further, we may use Ashley’s AngelsTM in connection with our market research to enable us to analyze user preferences, trends, patterns and information about our customer base. Ashley’s AngelsTM are not intended to resemble or mimic any actual persons.
You understand and acknowledge that we create the Ashley’s AngelsTM profiles and those profiles are not based on any user or member of our Service. A single Ashley’s AngelsTM may have more than one profile on our Service. You acknowledge and agree that the descriptions, pictures and information included in the profiles of our Ashley’s AngelsTM are not associated with a real person, but are provided primarily for your amusement.
The above basically says some of the folks are fakes – oh yeah if you wink at a “fake” you still pay…
So you want off the site and want your data deleted – that will cost you $19.95 for a full delete – versus a free deactivate. Charging for deletion is as they say ‘our prerogative”…
“16,000 people a month are totally ecstatic with it, and people don’t understand that. This isn’t a charity, we have to charge for that, and that’s our prerogative,” Biderman continued. Ars later asked a spokesperson for Avid Life Media, the parent company of Ashley Madison, to confirm that number, and the spokesperson said that the number of Full Deletes the site sells each month varies between 8,000 and 18,000. (Noel Biderman is both the CEO of Ashley Madison and Avid Life Media.) For those keeping score, numbers like that would mean that Ashley Madison is raking in somewhere between $152,000 and $342,000 each month, just from the Full Delete option alone.
My take on the attack and what will happen next:
First, these types of businesses are based on trust – if you’re going to cheat on your spouse, discretion and protection are paramount. I predict this company and its sites will NOT survive this data attack. The users and their money will leave…
Like ANY business with online presence and ESPECIALLY one that is 100% online and controversial – if you DON’T protect your data you will lose it. It is 100% ALM’s responsibility – there are always hackers and the data custodian is responsible – pure and simple.
There are, in my view, REAL liabilities to ALM – there are countries in the mix where adultery can result in death. There are users with work, .MIL and .GOV emails. Sure any user can enter them. If you were a user stupid enough to use a work, .mil or .gov email you’re in trouble… If you’re NOT an ALM user and your email was entered by someone else you will still likely have some explaining. The fact that ALM didn’t verify emails is pretty concerning. They will not be able to hide behind “we can’t control what users enter”…
I think this attack IS hacktivism – that doesn’t make it right but it complicates prosecution and public perceptions. When I started this topic I thought it would be clear – stolen data not ok. Now I’m thinking – stolen data, not ok BUT ALM has some pretty bad things in the closet and it wouldn’t surprise me if this has an inside threat or disgruntled member or hurt spouse aspect to the attack.
“Our prerogative” are two scary words. SURE a company can make legal rules and then claim it’s our prerogative. But we live in a brave new world – live by the sword, die by the sword… If you hurt clients they can fight back and now it’s not a terse letter to the CEO, it’s an attack that can crush a company in days. Before twitter, foursquare and other feedback sites, customer service was a local issue. Now it’s fast and easy to share angst. It seems to me this attack was driven by angst with the company and it’s policies and maybe even morals. I guess that’s good for companies that are on better moral ground.
You can sell cigarettes but don’t expect hugs for doing it… It seems to me this company was built on a business of poor morals and bad judgments and it’s no surprise that it would create angst and eventually draw attacks. It doesn’t make the attacks ok, just likely.
I hope this serves as a notice to other companies and our customers. Your business is data driven. If you lose control of YOUR data you can lose your entire business or even worse!
I hope those that have to explain membership to their spouses realize that lots of people get hurt by infidelity and maybe this event will help them fix or leave difficult relationships.
Personally, I don’t like the concept of facilitating adultery and honestly if the company folds that would be ok by me. However, hactivism is a scary weapon; good if you like the specific cause and bad if you don’t. I’m not sure how we can tolerate these types of attacks and still have a free and growing market.
Perhaps Ashley Madison’s motto “Life is Short, Have an Affair” should change to “Business is Short if You Don’t Protect Your Data”
BTW that’s mine – I claim it! “Business is Short if You Don’t Protect Your Data”
No Comments Yet.