The Ashley Madison data breach: could it happen today?
A recent Netflix documentary is retelling the story of the mass data breach in 2015 affecting up to 36 million users of the Ashley Madison website. A decade ago, the Canadian site’s USP was already proving controversial: catering for happily married people looking for a discreet affair. The leak was personally calamitous for many. It also brought data protection and cyber compliance squarely into public consciousness for the first time.
So, in an age of global data protection and cyber laws, could a similar leak happen again? How far have we really come?
More haste less speed
The first phase of the leak was the mass release, over three dumps, of encrypted account information relating to millions of customers. Crucially, it happened at a moment of dizzying expansion for the company.
Discovering user identities was made “a million times easier” by a site encryption technique that effectively made all passwords discoverable by breaking one of them. According to commentary from Ars Technica, Ashley Madison’s IT team realised the mistake in time but did not want to slow down the site while 36 million logins were updated. The documentary paints a familiar picture of a company expanding too fast to keep up with basic cybersecurity. Today, rapid expansion remains a key risk, with takeovers, opaque supply chains and cloud misconfiguration being particular pinch points for companies under pressure.
Generic passwords
In 2015, most user passwords on the site were generic. Today, everyone knows they should use secure passwords, but according to the UK ICO, password attacks spiked in 2023 and insecure passwords remain a problem. Knowing they cannot rely on the public to do it, recent UK laws now require that connected products are not sold with easily cracked default passwords. Unlike those happily married couples, it seems we do stay loyal to our old favourites.
Motives
Questions remain over whether the attack was carried out by a group or an aggrieved insider. If the latter, it appears to have been motivated by frustration over lax cybersecurity at the company rather than money, ideology or revenge. While it’s still pretty rare that the CISO goes rogue, unhappy employees are still an appreciable source of breaches, as noted in the 2023 Verizon report, cited by Electric.
Reporting
The leak played out in July and August 2015. By strange coincidence, a new law introducing personal data breach reporting requirements had come into force in Canada just a month earlier, but was not yet operational. Today, such laws are widespread, and compulsory reporting of cyberattacks in key sectors is gaining ground in many jurisdictions: for example the expanded scope of reporting duties for critical sectors in Europe (NIS 2; and DORA for financial services) and the US (CIRCIA), plus SEC reporting rules for public companies.
The hope is that as well as incentivising security, reporting will lead to better prediction of attacks. For the moment, though, reporting remains inconsistent and, given the high price paid by organisations holding out against blackmail (such as the British Library), incentives to quietly pay a ransom demand may remain compelling.
Certification
At the time, Ashley Madison users were fooled by cut-and-paste cyber “certifications” on the then website. Now, even when they are genuine, cybersecurity certification schemes are difficult for the public to understand and benchmark. Despite concerted efforts, such as the 2019 EU Cybersecurity Act, the market remains fragmented. An AI-engineered website “certification” might still dupe many.
Deletion
One of the key customer and regulator complaints was that Ashley Madison promised secure deletion of accounts for a payment of $19. In fact, no deletion had ever happened. Nowadays erasure rights come for free: Europe has the GDPR’s “right to be forgotten” and in the US, all 19 states with enacted privacy laws have included basic rights of deletion. However, unless duties are backed up with compliance then it’s back to square one. Regulators today regularly call out organisations that are failing in their deletion duties: such as this PIPC fine from South Korea where the data holder was holding onto hundreds of thousands of extra accounts.
Problems with addictive content
As the documentary reveals, the website made achievable what otherwise might have remained a passing fantasy, then kept users hooked, by sending fake messages from bots posing as women. After decades, we are seeing some belated attempts to address problematic content and addictive recommender systems, led by the UK Online Safety Act 2023, and the EU Digital Services Act. Things are changing slowly, but there’s a mountain to climb. Synthetic content is still a massive problem, although labelling rules in the new EU AI Act may be the start of a solution.
What happened next?
At the time, the leak felt cataclysmic, but the legal fallout less so. In the US and Canada, several data breach class actions settled, which awarding nominal sums for those affected. The US Federal Trade Commission (FTC) took action based on the site misleading consumers with fake user accounts and not being open about security measures. The action settled in December 2016 for a few cents per user. There were separate settlements with regulators in Canada and Australia. This would have huge nuisance value for any company, and no doubt forced change, but can hardly have dented profitability in the long run.
Has the site changed?
In the digital age there is seemingly no such thing as bad publicity. Even in 2015, investigators suspected that the leak might be a stunt gone wrong: a theory later debunked. The website is still operational, and has more sign-ups than ever.
On the premise that the hardest house to break into is the one that’s been burgled, it seems that for Ashley Madison itself, all is well. The FTC ordered a full data security programme and a visit to the site today shows a familiar roster of privacy notices and robust assurances about account security.
Other dating sites may be less prepared. Data protection failures including the retention of 2.4 million accounts dating back to 2012 led to the €200,000 fine of an Italian online dating service in December 2023. And in Norway, the Grindr dating app has recently failed again to overturn a finding that it shouldn’t share user identities with advertisers as this is sensitive information.
Have we changed?
AI is now the buzzword in cyber compliance, supercharging both attacks and threat detection. Laws and cybersecurity expertise have come a long way and there is much greater user awareness. But we could argue that a fair number of basic drivers haven’t changed: the list might include highly attractive content, addictive techniques to keep users hooked, cyber compliance struggling to keep up with company expansion, plenty of incentives for malicious actors, an open internet for hacktivists, patchy cyber regulation in certain domains, limited class action payouts for data breach, and cumbersome regulator enforcement. On top of an unchanged human nature.
After the leak, user identities were only made available because of the actions of online “cracktivists” who published decryption techniques within days for free on the open web. So arguably the real damage was done by others, including the media which did some public outing. These are forces which remain largely beyond data protection law.
The conclusion? Life is short, and so are attention spans. Recent data breaches of stalkerware sites have a familiar ring and not all the lessons from Ashley Madison’s misfortune may have been taken on board. The next highly compromising cyber breach may still only be one click away.
This article was written for GRIP on 24 July 2024
Link to article