Avid Life Media confirmed on Sunday that Ashley Madison and Established Men, the company's "married people seeking affairs" site and its companion sugar-dating site, have been breached. The Impact Team — the group claiming responsibility — has issued a statement giving the company thirty days to take both sites offline or face publication of the customer database in full (Brian Krebs, krebsonsecurity.com).
This breach is unlike any of the others I have written about this year. Anthem, OPM, and the Hacking Team archive are different kinds of disclosures with different injury patterns. The Ashley Madison disclosure, if it proceeds to full data publication, will harm a specific identified population of users in a specific way that combines privacy invasion with social and personal consequence. People who have used the service will be, in the simplest description, identified to their spouses, families, employers, and communities as having sought adulterous encounters online. The harm is not abstract. The harm is interpersonal and, in some jurisdictions, criminal — adultery remains a prosecutable offence in several US states and many countries. The reputation, employment, and physical-safety consequences will vary by individual, and some of those consequences will be severe.
I am reluctant to write about this case the way I have written about other breaches this year, because the operational-lessons frame feels inadequate to the harm. There are operational lessons. They are real and worth stating. But they do not exhaust what is happening. So I want to write about both.
The operational lessons, briefly. The reported attack vector is the company's internal network, accessed through a route that has not been disclosed. The customer database appears to have been accessible to anyone with internal access — the segregation between internal employee systems and the customer-data plane was insufficient. Passwords are reportedly bcrypt-hashed, which is the right answer; if the published data confirms that, the credentials themselves are reasonably protected. The other PII fields — payment records, addresses, names, sexual preferences declared in profiles — are the more exposed material. Avid Life Media's "Full Delete" service, which charged users nineteen dollars to remove their data, appears to have not actually deleted the data; the Impact Team statement specifically calls this out, and if the published archive confirms the claim, the company has a particularly difficult legal position.
The harder question is the disclosure ethics. The Impact Team frames its action as an ethical response to Avid Life Media's deceptive business practices — the Full Delete service in particular, and what they describe as the fraudulent nature of the female user accounts. Their statement reads as moral-justification language. The journalism community is going to face, over the next month and at the point of publication, hard questions about whether and how to cover the data. There is precedent in the Sony Pictures coverage in late 2014 — the Aaron Sorkin op-ed in the New York Times in December urging restraint, and the question of whether to report on individuals' private correspondence. The Ashley Madison data, if released, will be more sensitive and the per-individual harm potential greater. The decisions news organisations make about that data will set norms.
There are also derivative harm patterns to anticipate. Extortion — direct, individualised, possibly automated — against named users in the published data is going to be a substantial wave. The Sony case demonstrated the playbook: identify a named person in a leaked archive, contact them with a threat, demand payment. The Ashley Madison data will be vastly more amenable to that pattern because the social-shame component is direct. I expect the SOC to start fielding queries from customer organisations asking how to detect and respond to extortion attempts against their employees, and I am drafting guidance for the vCISO clients ahead of that conversation.
There is also a category of person whose exposure is qualitatively worse. Users who are gay or otherwise non-conforming, in jurisdictions where their identity is criminalised, will be at risk from disclosure in ways that are not abstract. Users who are victims of domestic violence, who may have used the service as part of a planned exit, will be at risk in immediately physical ways. Users who have used corporate or government email addresses will face employment consequences that may include termination, security-clearance revocation, or, for some federal employees, formal investigation. There is no technical control that addresses these harms after the data is published. The control is don't publish the data, and the people in a position to decide that are the Impact Team.
I do not know whether the data will be published. The Impact Team statement names a thirty-day window. Avid Life Media has issued a statement saying they will not be taking the sites offline (avidlifemedia.com press statement). The data may be published in full, in part, leaked piecemeal, sold privately, or not at all. Each of those outcomes is materially different in harm profile.
The frame I want to keep is that this is a privacy and consent failure with a long human tail. The technical content is real and deserves attention. It does not, by itself, capture what is happening to the users of the service in the next thirty days.