Putting aside the salacious details, there is something different about the Ashley Madison hack when compared to other high profile breaches at Anthem or Target.
The Ashley Madison breach revealed secrets that are now known forever. What makes the Ashley Madison attack feel different is that it involved personal and intimate information, disclosed for public shaming, not profit.
Following the recent breach at Ashley Madison, an on-line site dedicated to helping married people find others looking to have an extramarital affair, at least four lawsuits were filed in the US against Ashley Madison’s parent company, Avid Life Media (two in California, one in Texas, and one in Missouri) and at least one in Canada where Avid Life Media is based. All the suits have been filed by anonymous “Jane” or “John Doe” plaintiffs alleging breach of contract, negligent protection of customer data and violation of various state privacy laws. The lawsuits also allege that the Ashley Madison companies knew that their networks were insecure, which may find support if the recent speculation that the hack was an “inside job” by a disenchanted employee proves to be true.
While the legal allegations are familiar to anyone following data breach lawsuits, there is something different about data that was stolen here. Yes, credit card information was accessed, but the crux of the Ashley Madison hack was to share people’s secrets, specifically the identities of people who anonymously tried to pursue an affair. Ashley Madison promised anonymity but the breach erases that promise. In “hacker speak,” the practice of stealing and publishing private information about someone with malicious intent is known as “doxxing.”
Ashley Madison users, while not the most sympathetic group to experience an invasion of privacy, may be victims of a breach that cuts to the heart of what it means to have “private” information stolen. Credit cards can be replaced, but secrets cannot be unrevealed. It strikes the same chords as a recent “internet of things” story about hackers who could hack a baby monitor and view a sleeping child.
These types of hacks show that there does not have to be a monetary loss in order for the hacking of personal information to make an impact. For companies like Ashley Madison that market their ability to protect secrets and other personal, non-monetary information (i.e. information beyond social securities and credit card numbers), the loss of goodwill from a breach is potentially more threatening than the cost of replacing stolen credit cards or defending lawsuits. Such companies would be well-served to plan ahead and take extra precautions with their sensitive data.