Diane here, COO and the least technical member of our group! I’ll occasionally take control of our blog to give y’all a break from hearing from Kyle. My posts will focus more on things happening in mainstream media or whatever I find interesting, relevant, or scandalous. Enjoy! 🖤
Do you have Netflix? If so, you might have seen their Ashley Madison: Sex, Lies & Scandal docuseries in the trending content recently. Since I’m the COO of a data privacy awareness, education, and advocacy company, I obviously watched the entire series over 24 hours…for research purposes. 📝 🔍
If you don’t want any spoilers, I would suggest pausing here until you’ve watched the series. 🛑
If you would rather not spend roughly 3 hours, below is a quick explainer (you’re welcome).
Ashley Madison, launched in 2002, is a Canadian online dating website for people looking to hook up outside of their marriage/current relationship. Their slogan is “Life is short. Have an Affair.”
Due to the nature of their services, one can assume they took the privacy of their users pretty seriously. Their website had all sort of “medals”, “awards”, and other accolades for their data security policies and procedures. We come to find out these “medals” and “awards” were fabricated and created by some employee using a design editor. (I could have made better graphics and I’m far from being a graphic designer.)
In fact, Ashley Madison had no data security policies or procedures in place. 🤯
At this point you are probably thinking, “Oh that’s bad. They probably had all sorts of data on people.” And you would be right. Ashley Madison had databases of names, ages, billing addresses, birthdays, locations, gender, sexual orientation, photos (including some nudes), kinks, and sexual likes and dislikes… The Verge has an even more extensive list.
Scary, right? Just wait, it goes even further…
Ashley Madison offered the ability to “delete your data” when you closed your account. That’s right, reader, for the low price of $19 you could have Ashley Madison wipe your data from their servers! It would be like you never signed up in the first place. Poof, it’s gone. Sounds to good to be true, right? Well, that’s because it was. Ashley Madison just took the money and never deleted the data.
So now we know they didn’t have any data security in place and they retained all the data they collected on anyone who created an account at any point in time. Sounds like a hacker’s dream…and in 2015 that dream became a reality.
In July 2015, an anonymous group called “The Impact Team” hacked Ashley Madison. The group said if Ashley Madison didn’t shut down by a certain date, they would leak data. As you can imagine, since I’m writing this post, their demands weren’t met and The Impact Team leaked user data. They also went on to leak more information including company records, floor plans, and the CEO’s company and personal email inboxes. Between the two leaks, about 29GB (gigabytes)* of data including “over 36 million Ashley Madison accounts and 9 million individual credit card transactions” was dumped for anyone and everyone to see. (The Verge & Tripwire)
💡 For reference for the non-tech folks out there: The average size of an ebook that you would download to your Kindle or other eReader is about 2.6MB (megabytes). There are 1024 megabytes in 1 gigabyte. So think of it as a little over 11,153 ebooks worth of data being leaked. That’s a lot of data. 💡
The docuseries goes on to explain how these two leaks ruined people’s lives. All those data points I mentioned above are now on the internet for anyone to find. You could (and still can) easily find a website with the leaked information and search someone’s name. There was even an Australian radio show having people call in with names and they would share the search results live on air. Marriages and relationships were tested and, sadly, some lives were lost because of the ramifications of this hack.
I blame two entities for the nightmare and trauma this caused so many people: Ashley Madison and The Impact Team.
A class action lawsuit was brought against Ashley Madison and its parent company, Avid Life Media Inc (now Ruby Corp) and was ultimately settled with Ruby Corp admitting no wrongdoing and agreeing to pay roughly $11.2 million to users impacted by the data breach.
Ashley Madison still exists and, according to a self-report in 2020, has 70 million members.
This is a very unfortunate case study about why it’s so important to understand what data points companies are collecting from us when we use their services. Here at AbsolutelyNothing, our goal is to help you be an informed digital citizen 🧑🏻💻 and the tools our developers are currently hard at work building 👷🏼♂️ (because I help to keep them on task) will help you better understand (1) why companies want certain data about you and (2) how you can take control of your data. 💪🏻
Until next time,
Diane