The 2015 Ashley Madison scandal has not yet been put to rest, as scammers and blackmailers are having a field day capitalizing on victims. It’s been more than four years since the pro-adultery website AshleyMadison.com suffered a major data breach that turned the lives of more than 30 million users upside down.
Out with the old, in with the new?
In 2020, the Ashley Madison scandal resurfaces to bite users in the back. One might think that a data breach should be long forgotten within four years, but, sometimes, the effects can ‘last forever’.
Cyber criminals love recycling old data-leak materials, and the extent of the Ashley Madison breach makes it easy for them to try out new blackmail scams. The publishing of this type of sensitive information can have serious consequences for victims, from putting a straining on their marriage to defamation and financial loss. Criminals send out emails asking both current and former users of the website for money in exchange for not revealing their infidelity to friends and family via email or other social media platforms. To make the threat believable, the blackmailers also use pieces of personal data found in the leak.
Just because a victim already paid a one-time fee to one blackmailer, does not mean that he will refuse the next one. Once your information is out there, you stand a very high chance of becoming a repeat target.
Let’s refresh our memory
In July 2015, a group called ‘The Impact Team’ stole user data from the extramarital affair website, and threatened to release it if the platform was not immediately decommissioned. The owners of the website refused and, as a consequence, a data dump of 9.7 GB was posted on the dark web. The file contained sensitive data including account details, login credentials and 7 years’ worth of credit card transactions from the platform’s users.
Although it was later discovered that 5.5 million female accounts were fake, the leaked information included names, addresses, phone numbers and passwords linked to actual people. Even if users filled in random addresses and names, the stolen credit card information and payment transaction lists most likely point to real individuals.
Moreover, the operators of Ashley Madison pitched a 48-hour ‘full delete’ service to their customers. For a $19 fee, the service claimed to remove everything linked to your profile, including search results, sent or received messages, usage history, personal identifiable information and any linked photos. Following the breach, leaked internal documents revealed that the permanent account deletion option was not bulletproof.
At the end of a class-action lawsuit filed by victims, the parent company of Ashley Madison agreed to pay $11 million to US-based users. The company was also forced to implement a strong security program and pay $1.6 million to settle FTC and state actions after deceiving their customers and failing to protect their personal information.
Our digital footprints are bigger than we think, and the Ashley Madison case should be an example of how not to treat customer data. As consumers, we should always assume that our online presence will be discoverable at some point in time.