Ashley Madison Fallout – It Could Be Your Company
As the Ashley Madison data is more widely circulated and people have a chance to digest it, consequences are beginning to add up which will have a negative impact on the parent company Avid Life Media, likely for years to come.
Granted this is a somewhat unusual situation, so some of the consequences may not apply to any given company, but maybe other, different, consequences may apply. Some of the fallout is:
- ALM planned a $100 million initial public offering this fall. That IPO is now on “hold”. It is unlikely that anyone would be interested in investing in this company for years to come, given the lawsuits that are on the horizon.
- The Toronto police are investigating two suicides that they say are likely related to the release of the data. If the company is held liable for that, it could have significant financial consequences.
- The U.S. military is investigating specific service members. There were about 15,000 .mil and .gov email addresses in the data dump. Extra marital affairs are a violation of the Uniform Code Of Military Justice.
- Local investigative reporters in every big city are reviewing the data for names of public figures in their cities.
- A few named people have been “outed”. Josh Duggar, ex-reality TV star and now ex-spokesperson for family values based PAC Family Research Council admitted that he had two Ashley Madison accounts. In addition a stripper/porn star has come out on the cover of one of the supermarket tabloids saying that he paid her for sex. While this likely doesn’t have any negative consequences for Avid Life Media, it doesn’t bode well for the Duggar family brand. Their TV series has been cancelled and talks about spinoff series are “on hold”.
- ALM has been served with at least 5 lawsuits seeking class action status in California, Texas, Missouri and Canada. The lawsuits are filed as John Doe and Jane Doe lawsuits. What is unclear is whether the courts will say that the plaintiffs being embarrassed is sufficient reason to allow the suits to go forward anonymously.
- ALM has offered a CAN $500,000 (about $375,000 US) reward for information leading to the arrest of the hackers. For a company that is reported to make $60 million a year in revenue and $20 million a year in profit, offering a $375,000 US reward seems a little light.
- Police are investigating multiple extortion attempts against Ashley Madison customers.
To say that Information security at Ashley Madison was lacking would be polite. In one of the leaked emails, the CTO of the company said “With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn’t focus on it either”. After the Sony breach, someone suggested encrypting customer messages (the hackers claim to have gigabytes of messages and pictures and if they choose to release those, it could start this mess all over again), but CEO Biderman said that he needed to understand what the ‘business opportunity’ of doing that was. He apparently viewed it as an expense, not anything critical to the business.
I have no inside information, but I have to assume that the company’s revenue numbers for this month have dropped precipitously and likely won’t recover for a while and maybe ever.
So while, as I said, this is a pretty unusual case, it certainly serves as a poster child for the potential consequences of a data breach.
Other companies with sensitive information – such as doctors or mental health professionals – are in a similar situation. If patients feel their privacy is not safe, then they will sue and find other providers.
For businesses where their intellectual property is what they sell (pharmaceutical companies come to mind), losing control of that IP can cost them a lot of money.
For critical infrastructure providers, losing control of information regarding details of that infrastructure would allow terrorists to more easily attack that infrastructure, causing outages and other consequences.
While for a lot of us, a breach is an inconvenience and a small business liability, as attackers move on from mode 1 (credit card hacks) to modes 2 and 3 (information collection and business damage), WHO is a potential target changes.
This might be a good time for businesses to review their situations.