Several weeks ago, hacker group The Impact Team threatened that they would release the identities and credit card numbers of clients of infidelity promoting social network Ashley Madison. This week, they made good on their threat, releasing details of a reported 36 million user accounts.
For the moment, the data is apparently out there—some news outlets clearly have access already — but it’s hard to find. But informed commentators suggest it may soon be available and searchable online.
Some will call this a victimless crime: a scuzzy company’s lying-and-cheating customers are getting exposed for what they are. But it’s worth noting that there may be some innocent victims in all this: some Ashley Madison accounts may be spoofed by people using stolen credit cards. Other accounts may belong to people who are not in fact married, but who nonetheless don’t need their online dating habits shared with the world. And even the company’s “core” customers—the ones who truly are acting dishonourably,—don’t necessarily deserved to be punished in vigilante style. Or perhaps more to the point, it’s not that they don’t deserve it, but rather that The Impact Team, whoever they are, doesn’t have the right to decide.
What about AshleyMadison.com owner Avid Life Media itself? It’s in a sleazy business to say the least. Of course, employees at Ashley Madison aren’t themselves committing adultery (well, unless they happen to be, incidentally). So some people might wonder whether the company itself is doing anything wrong in the course of business. I think pretty clearly, yes. When you actively and knowingly contribute to someone’s wrongdoing, you share the blame. And there are a range of familiar examples in which helping someone to do wrong is considered blameworthy. Think of lawyers suborning perjury. Think of business agents facilitating bribery.
Naturally, many are calling this a “wake-up call,” for web-based companies and for the corporate world more generally. Reports suggest that insiders at the company knew that privacy was a big risk, and worried about “a lack of security awareness across the organisation.” One sign of a lax attitude toward privacy: according to a report in the Guardian, while customer passwords were stored in hashed (scrambled) format, “information such as addresses, credit card details and sexual preferences is all stored in plain-text in the database.” So anyone with access to the database has access to a treasure trove of private info.
Perhaps the moral of the story is that, human nature being what it is, it’s easier to make money by pandering to people’s baser instincts, than it is to protect the private information gathered along the way.
- How to prevent an Ashley Madison–style hack by company insiders
- The Ashley Madison hack is yet another wake-up call on data security
- The biggest security risk at your company could be your boss
- How Canada’s cyber-terrorism law could harm Canadian tech companies
- Stop using anything on this list of the year’s worst passwords