While Ashley Madison is hardly a pillar of the Fortune 500, or a traditional small market company for that matter, it should serve as a wake-up call to companies of all shapes and sizes. The fact of the matter is, we are witnessing the destruction of a company and countless lives due to a data breach. And the scary thing is, it can happen to any company.
The digital damage is staggering. The Hackers targeted two categories of information released in subsequent online dumps. The first data set included user account information including email addresses and user names. The second dump consisted mainly of Ashley Madison internal emails regarding business conduct and strategy. While not effecting consumers, this second data dump was just as devastating. It revealed, among other things, that Ashley Madison charged its users $19 to delete all account information. Apparently, this did not happen. Second, internal emails among Ashley Madison reveal executives apparently planning to hack into the networks of its competitors. Third, it turns out that Ashley Madison was full of fake female profiles likely created to entice new members and facilitate recurring charges. That’s enough criminal and civil liability to keep armies of lawyers busy for decades.
Additionally, the human toll this has taken is staggering. The data at stake here has life and death implications for the users of Ashley Madison. Already, numerous suicides and countless divorce filings have been reported. To make matters worse, cyber extortionists are now targeting the victims.
Who did this and what was the motivation? Brian Krebs has a great piece on this topic. The who, what and how remains unsolved but data breaches generally occur in two ways. The first typically involves employee negligence – opening a phishing email for example. The second involves a frontal attack exposing intrinsic network vulnerabilities. The motivation appears to be anger over the general purpose of the site and the aforementioned charge to scrub accounts. While not demanding money, the hackers, known as the Impact Team, demanded that Ashley Madison voluntarily pull its site offline and effectively go out of business voluntarily.
Legally, data security and breach response lawyers will be called onto the scene to handle notifications, supervise forensic vendors, set up call centers, and provide various notifications to governmental agencies and consumers. Class action litigation will ensue. Unless Ashley Madison was adequately insured, plaintiffs will likely be picking over the carcass of a bankrupted company.
The lessons to draw are too many for a short blog post. The overriding lesson is that this can happen to any company. The liability exposure and loss of reputation from a data breach can put your company out of business. With so much on the line, it is a wonder that cyber security is still not a priority at every company no matter the industry. Preparation alone cannot protect against future attacks but it can ensure the healthy survival of a company. This approach needs to start at the top as lawsuits are being brought against Directors and Officers for failing to provide attention to cyber security. We see shareholder derivative suits arising, negligence actions and civil actions brought by the FTC, among other federal agencies. This list would be incomplete without mentioning the scores of state regulators chomping at the bit to stake out their territory. There is enough liability to go around, with proper preparation, exposure can be greatly reduced.