Ashley Madison is a website devoted to facilitating adultery. That is literally their customer base – married individuals seeking to cheat on their spouses. Their trademark slogan is, “Life is short. Have an affair.” They further self-describe their operation as, “… the most recognized name in infidelity …” A widely reported breach of their servers resulted in a still disputed number of records being exfiltrated from Ashley Madison’s servers. (See Krebs. “Online Cheating Site AshleyMadison Hacked”, http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/, retrieved 2015-07-23). The situation is still developing, but I summarize and cite pertinent information here and also examine the company’s use of copyright takedown notices as part of its containment strategy.
“Impact Team” claims credit for the breach, and is threatening to release the incriminating corpus should Ashley Madison and its parent company Avid Life Media not immediately shut down operations. (See Id.)
The responsible parties reportedly released the first records as a warning yesterday. (See CBS, “Hackers expose first Ashley Madison users”, http://www.cbsnews.com/news/hackers-expose-first-ashley-madison-users/, retrieved 2015-07-23). Whether this will be a prelude to a full distribution remains to be seen, but as of now the company seems to still have some chance of containing the breach – the chance at containment will quickly evaporate if a torrent drops. (See Ragan, “Ashley Madison hack exposes IT details and customer records”, http://www.csoonline.com/article/2949902/vulnerabilities/ashley-madison-hack-exposes-it-details-and-customer-records.html, retrieved 2017-07-23 (noting a limited release of approximately 40MB of data as a proof of claims)).
The company’s public statement on Monday was very measured and was limited to confirming the breach, denouncing the attack as “cyber terrorism”, and confirming they have a forensics team investigating the incident. (See “Statement From Avid Life Media Inc.”, http://www.prnewswire.com/news-releases/statement-from-avid-life-media-inc-300115394.html, retrieved 2015-07-23).
These sorts of measured responses are typical in breach situations especially where investigations are ongoing, and there is a good reason for them. Making false promises or misstating the facts can worsen the problem from a liability perspective. At minimum, public statements will be used against a company in any future litigation especially where the statements are not truthful. Furthur, Regulatory authorities like the FTC and state governments are increasingly holding companies to their public promises and representations about privacy and security. (See “FTC Takes Action Against LifeLock for Alleged Violations of 2010 Order”, https://www.ftc.gov/news-events/press-releases/2015/07/ftc-takes-action-against-lifelock-alleged-violations-2010-order, retrieved 2015-07-23 (claiming the company made false claims about its identity protection offerings); See also “Start with Security: A Guide for Business”, https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business, retrieved 2015-07-23 (explaining lessons learned and common issues from numerous FTC data breach settlements)).
Unfortunately, the measured corporate press releases are not being followed by the customer service representatives as the guardian reports. (See Hern et al, “Ashley Madison customer service in meltdown as site battles hack fallout”, http://www.theguardian.com/technology/2015/jul/21/ashley-madison-customer-service-meltdown-hack-fallout, retrieved 2015-07-23 (noting conflicting representations that the site was not hacked, the size of the hack was minimal, or that payment information was not compromised).