No Surprise: Ashley Madison Breach Triggers LawsuitsSecond Data Dump Promises Further Damage, But Fails to Deliver
The massive breach of online dating site Ashley Madison has triggered class action lawsuits against Toronto-based parent company Avid Life Media. Meanwhile, the hackers behind the breach of the site have leaked a second, larger batch of stolen data, although security experts say the dump - which purports to include the dating site CEO's emails - appears to be corrupted and cannot be opened.
Avid Life Media was targeted by a group calling itself the "Impact Team," which in July warned that unless the company shut down three of its dating sites - including Ashley Madison - it would leak extensive amounts of stolen data, including customers' personal details, the company's financial records and much more. Thirty days after making that threat, the hackers followed through by releasing a compressed, 9.7 GB file via BitTorrent, which appears to contain extensive data on the site's customers (see Ashley Madison Hackers Dump Stolen Data).
That leak is now the focus of a lawsuit seeking class action status filed in Canada on Aug. 20 by Eliot Shore, claiming $760 million (U.S. $577 million) in damages. Shore says he joined Ashley Madison seeking companionship after the death of his wife of 30 years, but reports not meeting anyone online. The lawsuit has been filed by two firms - Charney Lawyers; and Sutts, Strosberg LLP - and names Avid Dating Life Inc. and Avid Life Media Inc. - the companies that run AshleyMadison.com - but not the hackers involved in the breach.
"The allegations in the class action include that the privacy of many thousands of Canadians was breached in July 2015 when hackers infiltrated AshleyMadison.com and downloaded private information," according to a statement released by Sutts, Strosberg LLP says.
At least one other lawsuit seeking class action status has been filed against Ashley Madison since the breach came to light. Just days after the Impact Team's initial threat in July, a woman from St. Louis, identified in court papers as "Jane Doe," sued the company in U.S. federal court over its $19 "full delete" service to remove all traces of a customer's membership, alleging that the service failed to work as advertised, AP reports. The woman's attorney tells AP that it is not clear if the plaintiff's information is contained in the now-leaked data.
Will Breach Suits Succeed?
While related laws vary by country, multiple legal experts have questioned whether Ashley Madison breach-related lawsuits will succeed. In the United States, for example, plaintiffs typically would have to prove that they suffered some type of direct harm as a result of the breach (see Why So Many Data Breach Lawsuits Fail).
"I'd be surprised if you get a lot of traction here," Scott Vernick, a partner and head of the data security and privacy practice at U.S. law firm Fox Rothschild LLP tells AP.
In the United Kingdom, meanwhile, divorce attorneys and relationship-counseling services have already reported receiving inquiries from people who have reported finding their spouse's personal details in the dating site's membership roster, the Telegraph reports. And the dating site could face related court cases from some of the country's estimated 1.2 million users.
"The interesting thing about this incident is that recent court decisions in the U.K. have been leaning towards the view that a claim can be brought when no financial loss occurs but where a person experiences distress as a result of an data breach," Luke Scanlon, a technology lawyer at firm Pinsent Masons, tells the Telegraph.
If everyone participating in a class action lawsuit attempted to claim even relatively small damages - such as Â£1,000 - that could create a Â£1.2 billion legal bill that might topple Avid Life Media, he adds. On the flipside, however, anyone who joined the lawsuit would then potentially be publicly outed as being an Ashley Madison user. Given that the site is advertised as a way to facilitate "discreet" encounters, the requirement to go public might undercut the incentive to seek relatively small damages.
In terms of a legal precedent for this potential type of case, however, and the likelihood that it might succeed, Scanlon tells Information Security Media Group that it is not clear whether U.K. laws - in particular the Data Protection Act - could be applied to "Ashley Madison's data processing activities." He adds: "If it can be said that Madison Ashley is using equipment within the U.K. to collect data from individuals located in the UK, then there is some scope to argue that the Data Protection Act would be applicable to it."
Hackers Taunt CEO
Meanwhile, the Ashley Madison data-dump saga still is heating up. Ashley Madison CEO Noel Biderman, for example, publicly suggested that Impact Team's first data dump this week was a fake, although numerous security experts have disputed that assertion. With the second, 19 GB compressed file release on Aug. 20 - twice the size of the first dump - the security researcher known as Hydraze says the attackers appear to have tried to call Biderman's bluff. Notably, one of the included files was "noel.biderman.mail.7z," while a message included in the dump reads: "Hey Noel, you can admit it's real now."
Avid Life Media says it is aware of the supposed second data dump, and has reiterated that it's working with law enforcement agencies to investigate. "We are aware of the reports that criminals have stolen proprietary company files from Avid Life Media and are disseminating them online. We are working with law enforcement, including the U.S. Federal Bureau of Investigation, the Royal Canadian Mounted Police, the Ontario Provincial Police, and the Toronto Police Services to determine who is behind this criminal activity."
The company has also called for the focus of the breach to be on the perpetrators, not the site's users. "Regardless of the nature of the content, our customers, this company, and its employees are all exercising their legal and individual rights, and all deserve the ability to do so unhindered by outside interference, vigilantism, selective moralizing and judgment. The individual or individuals who are responsible for this straightforward case of theft should be held accountable to the fullest extent of international law."
Second Dump: Corrupted?
According to Hydraze's analysis of the second dump's file structure, it appears to contain:
- Nearly 3 million lines of source code;
- 73 unique Git - used to manage software development projects - repositories;
- A 13 GB compressed file that appears to be Biderman's email spool;
- "Plain text or poorly hashed (MD5) [database] credentials."
But numerous security experts, including Robert David Graham, head of research firm Errata Security, have reported that the second encrypted file that is circulating on BitTorrent cannot be opened because part of it seems to have been corrupted.
Given the Impact Team's apparent vigilante leanings, however, security experts say it's likely that the hackers will soon compress and upload a working, second data dump. "I'd be surprised if the repost doesn't come soon," says PasswordsCon conference founder Per Thorsheim via Twitter.
I applaud ImpactTeam and they way they make us struggle with a corrupted file. #BestTrollEverï¿½ Rob Graham (@ErrataRob) August 20, 2015
Scammers Target Breach Victims
Scammers are already beginning to prey on breach victims' fears. Raj Samani, chief technology officer for EMEA at Intel Security, warns that via Craigslist, scammers are now offering to magically remove breach victims details from the leaked data. Of course with the first BitTorrent file now in wide circulation, that is impossible, because too many copies of the leaked data exist to access them all. Indeed, if previous mega-breaches are any guide - for example, Anonymous leaking HBGary Federal's Gmail spool in 2011 and the Guardians of Peace in 2014 leaking embarrassing Sony executives' emails - the leaked data will likely live online, not least via underground forums, in perpetuity (see Hacktivism: An Affair to Remember).
Will Ashley Madison Profit?
What's uncertain is whether Ashley Madison will survive the hack attack and rolling data breaches, or might even profit from the attacks. "With all the extra publicity, Ashley Madison is only going to be getting more users. Unless class action lawsuits put them out of business," Mikko Hypponen, chief research officer at security firm F-Secure, says via Twitter.
Indeed, Thorsheim notes that one year after social network LinkedIn suffered a devastating breach in 2012 - revealed after an attacker uploaded 6.5 million users' LinkedIn passwords to an underground password-cracking forum - the company's share price had doubled.
@mikko When Linkedin got hacked they had 120mill users. 2 months later 160mill. 6 months after hack 200 mill. Share price doubled in 1 year.ï¿½ Per Thorsheim (@thorsheim) August 21, 2015