Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response
Ashley Madison Seeks Security Reboot
The World's Biggest Metaphor for Online Security Stupidity Lives OnThe company behind infidelity-focused online dating website Ashley Madison - tagline: "Life is short, have an affair" - has revealed that it's facing an investigation by the U.S. Federal Trade Commission, nearly one year after hackers dumped personal information on millions of its members (see Hacktivism: An Affair to Remember).
See Also: How to Take the Complexity Out of Cybersecurity
Avid Life Media CEO Rob Segal and president James Millership - both of whom were hired in April, and are now seeking to reboot the company and its brands - confirmed the FTC investigation to Reuters, although said they don't know precisely what the federal agency is probing.
Here's a guess: Given that the FTC can investigate deceptive advertising practices - including sites that claim to secure data but then fail to do so - one likely focus of the probe would be on the site's failure to safeguard data, including poor historical password security. Indeed, the hacker or hackers - calling themselves the Impact Team - that breached Ashley Madison dumped nearly 10 gigabytes of data, exposing internal emails as well as millions of user profiles tied to more than 30 million unique email addresses registered with the site. The attackers threatened to dump even more data unless the site closed down.
Second guess: Ashley Madison offered a "paid delete" service that claimed to expunge members' details from its systems after they quit the site. But the Impact Team claimed that it had recovered full details for these paid-delete users after it hacked into the site.
Third guess: The FTC will probe the company's use of so-called fembots, which are fake scripts designed to mimic real-life users. Impact Team, for example, claimed that Ashley Madison "is a scam with thousands of fake female profiles. ... 90-95 percent of actual users are male." But it's not clear if the hackers' assessment was based on details contained in the data dump, or rather a 2013 lawsuit filed by a former Avid Life Media employee based in Toronto - a Brazilian by birth - who said she'd been told to create 1,000 "fake female profiles" for a Portuguese version of the site.
Secret Fembot Confessions
In a July 4 statement from Toronto-based Avid Life Media's new executives, Millership confirmed that the company employed fembots until 2014 for its U.S. and Canadian sites, and until 2015 for sites aimed at other countries.
The fembot usage occurred while Noel Biderman was CEO of Avid Life Media; he left in August 2015 (see Top 10 Data Breach Influencers).
The new leadership team is already attempting to spin this past business practice. "My understanding is that bots are widespread in the industry," Millership says.
Heavy Legal Action
Beyond the FTC probe, the company also still faces a host of class-action lawsuits filed on behalf of both U.S. and Canadian users whose personal details got dumped, as well as relating to its fembot use.
But the executives claim to Reuters that the ratio of real-live male to female users on the site is now five to one.
They've also apologized for the criminal hack in 2015. "The company is truly sorry for how people's lives and relationships may have been affected by the criminal theft of personal information," Segal says in a statement.
Indeed, in the wake of the data breach, users reported a surge in related spam and extortion attempts, to say nothing of the potential boost it provided for divorce lawyers.
Desperately Seeking Reboot
The FTC's probe and class-action lawsuits notwithstanding, the new executives appear to be bullish on future opportunities, saying they're looking for new acquisitions and business partnerships.
The company has also hired Deloitte to overhaul its cybersecurity program and provide full-time monitoring of networks and systems. "Avid Life Media has been investing even more heavily in security enhancements and privacy safeguards to deal with evolving cyber threats over the past year, and that will continue," Segal says.
The company has also promised to offer "new, secure and discreet payment options." Next stop, bitcoins?
Once Bitten, Not Twice Shy
Despite having billed itself as "the world's leading married dating service for discrete encounters" and then failing to provide the promised discretion, Ashley Madison's potential survival shouldn't be underestimated.
For starters, many of the site's users didn't appear to be security-savvy, at least based on the fact that so many used email addresses that lead directly back to them after they were leaked, as well as weak passwords (see We're So Stupid About Passwords: Ashley Madison Edition).
Furthermore, the breach publicity may have done Avid Life Media some marketing favors, according to Mikko Hypponen, chief research officer of security firm F-Secure, citing information from information security and password expert Per Thorsheim.
«Ashley Madison has added 5 million users since they were hacked. WTF» - Per Thorsheim (@thorsheim) at #nordicitsec. pic.twitter.com/8FQhoUhSks
— Mikko Hypponen (@mikko) November 3, 2015
Indeed, by November 2015 - just four months after its data began getting dumped - Avid claimed to have added 5 million new Ashley Madison subscribers.
As cybersecurity expert Alan Woodward, a computer science professor at the University of Surrey, joked at the time: "Maybe Oscar Wilde was correct when he said there was only one thing worse than being talked about: not being talked about."