Ashley Madison offers to pay £8.6 million to those exposed in the 2015 dating site hack
The owner of infidelity dating site Ashley Madison has offered a sizeable settlement to those suing the company, which was hacked in 2015.
Ruby Life, which was known as Avid Dating Life at the time of Ashley Madison’s data breach, has put $11.2 million (£8.6 million) on the table to settle numerous class-action lawsuits.
In July 2015, the details of up to 37 million Ashley Madison accounts were posted online, following a breach at the hands of hackers known as Impact Team.
The people suing the company say the leaked personal details – including names, birth dates, addresses and sexual tastes – have led to emotional distress, financial loss and identity theft. One lawsuit by an anonymous individual said that the Toronto-based company could have prevented the leak if it had taken “necessary and reasonable precautions to protect its users’ information, by, for example, encrypting the data”.
The settlement, which still has to be reviewed by a judge, will mean that Ruby Life won’t have to admit to any wrongdoing, but will compensate individuals with “valid claims” for alleged losses resulting from the breach.
“The parties have agreed to the proposed settlement in order to avoid the uncertainty, expense, and inconvenience associated with continued litigation,” said Ruby Life in a statement.
The company, which bills itself as an “industry leader in open-minded dating services”, goes on to say it has implemented a number of measures to enhance security to customer data. It also offers cover for spouses that may be in hot water with their partners, claiming account credentials were not verified for accuracy ahead of the breach, and could have been made using other individuals’ details.
“Therefore, [Ruby Life] wishes to clarify that merely because a person’s name or other information appears to have been released in the data breach does not mean that person actually was a member of Ashley Madison.”
The legacy of Ashley Madison
News about the settlement comes on the same day as the UK government plans to unveil measures to enforce age restriction on adult sites, as part of the Digital Economy Act. These are slated to encompass the use of credit card information to prove a user is over 18.
While child-safety groups have praised the plans in protecting young people from pornographic content, privacy advocates have raised concerns about the potential for storing personal information about porn viewers – and the risk of this information being hacked and used for extortion. Ahead of the legislation becoming law, Open Rights Group’s executive director Jim Killock said: “As we saw with the Ashley Madison leaks, the hacking of private information about people’s sex lives has huge repercussions for those involved.”
Indeed, before the Ashley Madison information was posted online, leading security experts warned that 37 million users held to ransom by the hackers could be open to further attack from opportunistic blackmailers. A number of hacking insiders predicted that the Impact Team hackers wouldn’t publically release the information but instead sell it to criminals via the Deep Web.
“It’s highly likely that scammers who have had nothing to do with the breach will take advantage of it,” commented Michael Sutton, vice president of security research at cloud security company Zscaler. “Scammers are likely to see an opportunity to profit by sending random ransom emails. With 37 million accounts compromised, it won’t be difficult to identify people that are indeed Ashley Madison customers and are willing to pay a ransom in the hopes that it will maintain their anonymity.”
Ken Westin, senior analyst at cybersecurity company Tripwire, said: “Information associated with adult services has the potential to ruin lives, be used for blackmail or even espionage purposes if government officials are involved.”
(Above: Former Avid Life Media CEO Noel Biderman, in original promotion material for Ashley Madison)
While the Digital Economy Act’s age-verification measures are intended to protect young people, rather than create resources for blackmailers, the worry is that the legislation puts the responsibility for securing personal information in the hands of porn companies.
As such, the Ashley Madison attack was important not only because the infidelity of 37 million people was at risk of exposure, but also because it raised wider questions about privacy on the internet. As vigilante hacks become more common (see 2015’s Adult FriendFinder leak, where the sexual fetishes of 3.9 million people were exposed), online anonymity becomes an increasingly difficult concept to believe in. Can we still trust in internet privacy or do we need to accept that our private online lives are never entirely free from prying eyes?
The hackers behind the Ashley Madison attack went by the name Impact Team, and initially demanded that Avid Life Media (now known as Ruby Corp), who owns Ashley Madison as well as other dating sites Cougar Life and Established Men, take down its websites – namely Ashley Madison and Established Men.
At the time, Avid Life Media’s then chief executive Noel Biderman said that the hack was a “criminal attack” and that the company was “working diligently and feverishly” to secure its sites.
The manifesto explained that the attack was prompted by an alleged lie on the website’s behalf – that for a fee of $19, users are able to completely erase their profile information via a “Full Delete”.
“Full Delete netted ALM $1.7m in revenue in 2014. It’s also a complete lie,” the manifesto says. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”