The Ashley Madison affair has highlighted the risks in sharing personal data online and revealed the need for better data-protection policies. Many sources are reporting that up to 10 gigabytes of personal data stolen from the 37 million users of the online dating service for extramarital affairs has been dumped on to various Torrent file-sharing services in the past few weeks.
About a month ago, hackers claimed that they had stolen sensitive customer information and threatened to post the data online unless the Ashley Madison website ceased its business activity. This appears to be have been triggered by the company’s failure to honour its claim that a user could have data permanently erased from the platform database by paying an extra $19. The hackers went on to release home and email addresses, credit card numbers, sexual preferences and other sensitive data of its registered users, which include US military servicemen, CEOs and government officials.
Raja Bhatia, Ashley Madison’s former chief technology officer, tried to dismiss the whole issue. “The overwhelming amount of data released in the last three weeks is fake data,” he said. But this data dissemination is revealing a much wider breach with potentially disastrous consequences for all those involved – along with several “bad practices” and data protection policy issues.
To start with, there was no email verification for new users of Ashley Madison (understandably so given the nature of the business). Therefore, it was easy for many simply to deny ever joining – and they may be right. It is also likely that this lack of verification encouraged many to use fake names and email addresses. (Too bad though for those who used their real names.) And the website claim that user data was encrypted to protect against external hacks clearly didn’t work.
If it is confirmed that Avid Life Media, the owner of AshleyMadison.com, did not delete user data permanently as promised, there could a serious knock-on effect in terms of trust for the entire online dating industry. Indeed, users of such sites should make a point of reading the “fine print”, checking terms of service and how personal data will be managed.
Before joining such websites, we should ask the following four key questions: Will our personal data actually be encrypted? Who is entitled to access and use them – and how? Do we trust the company and its managers? And does the website have a secure connection (https)?
Will these measures be enough? Probably not, but they are certainly a good place to start. Better safe than sorry, especially when facing such huge leaks.
Author: Andrea Stroppa writes about security and technology for the World Economic Forum.
Image: A photo illustration shows the Ashley Madison app displayed on a smartphone in Toronto, August 20, 2015. REUTERS/Mark Blinch