Ashley Madison Class Action Lawsuit
AshleyMadison Data Breach
On July 15, 2015, the news media began reporting that AshleyMadison.com was hacked. On August 18, 2015, the media reported that 9.7 gigabites of AshleyMadison's user data was posted onto the darkweb. This included the personal names, addresses, phone numbers, email addresses and login details for over 32 million AshleyMadison users. Current and former users are concerned that their personal, private information has been or will be publicly accessible.
On August 20, 2015, Charney Lawyers and Sutts, Strosberg LLP launched a national class action against the owners and operators of AshleyMadison.com. This lawsuit was filed in Toronto on behalf of all residents of Canada who subscribed to the website. The plaintiff claimed $760 million in damages. You can review the press release here. On August 25, 2015, the same law firms filed a class action in Montreal on behalf of all Quebec residents who subscribed to Ashley Madison.
The Office of the Privacy Commissioner of Canada (“the Privacy Commissioner”) and the Office of the Australian Information Commissioner have jointly investigated Ashley Madison. On August 23, 2016, the Privacy Commissioner released a report highly critical of the website’s security measures and business practices, including violations of federal privacy laws. These findings may assist in prosecuting the class action against the corporate owners of Ashely Madison, Ruby Corporation (formerly Avid Life Media Inc). Below is a summary of some of the interesting findings of the Report. You can read the complete report here.
Canadians in every province, including Quebec, are encouraged to reach out and participate in this action.
WARNING: Fraudsters are now sending emails to AshleyMadison users asking them to pay money to join a class action. This is a scam. Do not pay them. Do not provide them any personal information. To date, Charney Lawyers and Sutts, Strosberg LLP are the only Canadian law firms prosecuting a class action against AshleyMadison. We only take your personal information by phone. No money changes hands.
Contact Our Class Actions Lawyers
The law allows you to receive compensation for serious invasions of privacy. We encourage you to contact one of our lawyers with any questions about this class action. You information will be held in strict confidence by Charney Lawyers and Sutts, Strosberg LLP.
Contact Brendan at Charney Lawyers
Contact Shane at Sutts, Strosberg LLP
Join as a Representative Plaintiff
We are also searching for more representative plaintiffs to help us prosecute this class action against AshleyMadison.com. We are looking for representatives from every Canadian province to act as plaintiffs in the lawsuit. If you take on this role, we can seek an Order from the Court allowing you to remain anonymous to the public. If this Order is granted, your name would appear on the record as John Doe or Jane Doe. If this Order is not granted, you could abandon the action while staying anonymous to the public. Contact Brendan or Shane, above, for more information.
Charney Lawyers: Canada’s Top Privacy Lawyers
Charney Lawyers is one of Canada’s leaders in privacy breach litigation. We are prosecuting numerous privacy class actions and data breach class actions across Canada. This includes the Bell Mobility Class Action, the Student Loans Class Action and the Medical Marihuana Class Action.
The AshleyMadison privacy breach may be ideally suited to class proceedings because many Canadians were affected in the same way. A class proceeding would allow all Canadian users to access justice without each hiring their own lawyers. All Canadian users would be represented by a small team of lawyers who would be paid out of the settlement or court awards. Any users who do not wish to be represented will be able to simply opt-out.
Why Privacy Matters
Invasions of privacy can have serious consequences – to your home life, to your reputation, to your career. The AshleyMadison privacy breach is particularly troubling given the nature of the website and the kinds of user information it contains.
In a recent press release, Ashley Madison said:
We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.
We’re not convinced. AshleyMadison said that they are aware of an “attempt” to “gain access” to their database systems. But we know there was more than an “attempt”. We know the hackers entered the AshleyMadison database and posted a banner on the website's front page announcing the successful web attack. Here is a snippet of the banner:
In addition to user information, there are also reports from credible sources that the Impact Team also obtained maps of internal company servers, employee network account information, company bank account data and salary information. By all accounts, this appears to be a significant data breach.
AshleyMadison needs to answer serious questions. What kind of security measures were in place? How secure were those measures? Did they abide by standard industry practices? Did they take special precautions given the nature of the website and its promises of discretion? Were company insiders involved? Who in the company had access to their systems?
Further Background on AshleyMadison Privacy Breach
AshleyMadison.com is a dating website for people interested in having extra-marital affairs. Their now infamous slogan is “Life is short. Have an affair.” Avid Life Media claims to have over 37 million users worldwide, many of whom are in Canada. AshleyMadison.com is owned and operated by Toronto-based corporations called Avid Life Media Inc. and Avid Dating Life Inc. Its President and CEO is Noel Biderman, who touts himself as the "King of Infidelity". They also operate another website called EstablishedMen.com and other similar websites.
The hackers call themselves Impact Team. The hackers initially threatened to publish user’s personal information. Thirty days later, they released user data on the dark web. Other websites then made the data accessible to the public online. Charney Lawyers is not considering bringing claims against the Impact Team hackers.
On most social media websites, users may deactivate their accounts. This does not necessarily mean that user’s data is deleted. In most cases, the data remains on the website’s systems. AshleyMadison offered to permanently delete user information in exchange for fee. This is called a “hard delete”, “paid delete” or “full delete”. User’s real names, addresses and message history were supposed to be removed. You can read more about the paid delete options at AshleyMadison on ArsTechnica.com.
The hackers claimed that AshleyMadison collected these fees but did not delete the information. The hackers said they attacked the website in an effort to close it down as punishment for collecting a fee without performing the hard delete. The hackers announced that if the sites were not closed, the personal data would be released. On August 18, 2015, they appeared to have done so.
In a recent press release, Avid Life Media refuted these accusations about the paid delete:
the 'paid-delete' option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity.
Numerous individuals have contacted Charney Lawyers claiming to have paid for the "full delete" option, only to find that their data was never deleted and later exposed in this privacy breach.
In any event, various experts criticized the paid delete option as unethical. Following the hacking scandal, the Toronto Start reported that AshleyMadison has now promised to delete user information for free.
In late July, it appeared that only a small amount of AshleyMadison user data has been leaked. The Guardian Newspaper reported that at least two people had been exposed. The National Post reported that a Toronto-area man was exposed. As of August 18, 2015, it appears that millions of users' private information has been posted to the dark web. Immediately thereafter, this information was made accessible to the public. It has now been copied innumerable times across the internet and is unlikely to ever be removed.
Fake Female Profiles
AshleyMadison claimed to have over 5.5 million women members. However it has been reported that the vast majority of AshleyMadison’s female profiles are fake. Following this month’s privacy breach, innumerable analysts have been processing the data and making revealing discoveries.
The in-depth analysis of Annalee Newitz, Editor-in-Chief of technology website, Gizmodo, indicates that fewer than 12,000 female profiles are legitimate. Read the Gizmodo analysis here. The UK's Independent newspaper reported on the analysis here.
Corroborating this allegation is the 2013 lawsuit of Doriana Silva who sued the owners of AshleyMadison claiming that she incurred repetitive stress injuries to her hands after being instructed to create 1000 fake female profiles in three months. Her task was to create Portuguese profiles to attract more users from Brasil. The claims were later settled out of Court. Read a preliminary motions decision here. Read a report by Business Insider here.
The Office of the Privacy Commissioner of Canada (“the Privacy Commissioner”) and the Office of the Australian Information Commissioner have jointly investigated Ashley Madison. On August 23, 2016, the Privacy Commissioner released a report highly critical of the website’s security measures and business practices, including violations of federal privacy laws. These findings may assist in prosecuting the class action against the corporate owners of Ashely Madison, Ruby Corporation (formerly Avid Life Media Inc).
The compromised data includes account login information, user profile information (postal code, username, personal descriptions including sexual practices and fantasies) and billing information (users’ real names, billing address, partial credit card numbers). Other information including pictures, full credit card numbers and messages between users may have been compromised.
The Privacy Commissioner found that Ashley Madison collected highly sensitive personal information. The website users’ “physical and social well-being [was] at stake, including potential impacts on relationships and reputational risks, embarrassment or humiliation.” The Privacy Commissioner noted that potential reputational harm is “a high-impact risk as it can affect an individual’s long term ability to access and maintain employment, critical relationships, safety, and other necessities depending on the nature of the information held.”
Federal laws required Ashley Madison to implement “commensurately high” security measures to prevent loss, theft, unauthorized access, disclosure, copying or modification of user’s information.
Ashley Madison failed to implement even “basic organizational security safeguards” such as documented information security policies or practices for managing network permissions. They failed to implement “commonly used detective countermeasures” to monitor attacks, as well as intrusion detection systems, intrusion prevention systems, event management systems or loss prevention monitoring systems. Unusual logins to Ashley Madison’s systems were not tracked or reviewed, and many instances of unauthorized access immediately preceding the attack were only recently discovered. Ashley Madison did not have a documented risk management framework to identify risks and take appropriate actions. Ashley Madison failed to implement multi-factor authentication to access Ashley Madison’s systems remotely, which is a “commonly recommended” industry practice.
Ashley Madison “could have reasonably foreseen” that leaks of their users’ identifying information would have “significant adverse consequences” for those users because the website caters to people seeking extramarital affairs. Ashley Madison executives admitted that discretion was central to their business and the website contained numerous promises of security including “a medal icon labelled ‘trusted security award’, a lock icon indicating the website was ‘SSL secure’ and a statement that the website offered a ‘100% discreet service’.” Nevertheless, Ashley Madison failed to implement safeguards appropriate to protect highly sensitive information.
The Privacy Commissioner is harshly critical of many of Ashley Madison’s practices, including the following:
- no documented information security policies or practices
- no explicit risk management process — including assessments of privacy threats and evaluations of security practices
- inadequate staff training to ensure staff understood and carried out appropriate security practices
The Privacy Commissioner also criticized Ashley Madison for:
- Retaining personal information of users who had deactivated or deleted their accounts
- Charging money to delete user accounts
- Failing to verify accuracy of user email addresses before collecting and using them
- Lack of transparency with users about data handling practices
News Coverage on Ashley Madison Class Action
Ted Charney discussed the case on CTV News. Watch the video here.
Ted Charney participated in a radio discussion on NewsTalk 1010 in the late-afternoon of August 20, 2015.
CityNews and The Canadian Press reported on the class action immediately after filing in an article entitled, "Class-action lawsuit established in Ashley Madison data leak". Read it here.
The Toronto Sun reported on the class action immediately after filing in an article entitled, "Ottawa man files lawsuit against Ashley Madison citing privacy breach". Read it here.
Our press release cross the wire on August 20, 2015. Review the press release here.
Tony Spears of the Ottawa Sun reported on our then-prospective class action lawsuit in his article entitled, "Ashley Madison class-action lawsuit in the works in Canada". Mr. Charney was quoted explaining the "huge advantages" of a class proceeding. Regarding legal fees, Mr. Charney said, "[a]n individual trying to sue Ashley Madison would incur significant legal costs up front and might end up financial losers even in victory." Read the article here.
News Coverage on Ashley Madison Privacy Breach
Krebs on Security, a cyber-security monitor, broke the story in a piece entitled, "Online Cheating Site AshleyMadison Hacked". Read it here.
The Associated Press published an early story entitled, "Cheating Website Ashley Madison Hacked, Personal Info Posted". Read it here.
The Canadian Press published a similar story entitled, "Ashley Madison, infamous infidelity website, target of data hack". Read it here.
Time Magazine reported the story in light of broader data-kidnapping in a piece entitled, Ashley Madison and the Rise of Data Kidnapping". Read it here.
The Economist referenced the AshleyMadison data breach in it's piece entitled, "The Enemy Within". Read it here. Read it here.
Laura Wright at the CBC wrote a piece entitled, "Ashley Madison could face class-action suit after massive data breach". Read it here.
Robin Levinson King at the Toronto Star wrote a piece entitled, "Ashley Madison’s charge for ‘full delete’ of data completely unethical, critics say. Read it here.
Business News Network has posted video of their interview with Kenneth Owen, a cybersecurity expert and PhD candidate at McMaster University, entitled, "Ashley Madison hackers release identities of two users". Watch it here.
Krebs on Security, a leading expert in the field and a chief commentator on the AshleyMadison breach, has reported, "I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. ...I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal." Read it here.
Kim Zetter at Wired.com has covered the data dump of user data in an article entitled, "Hackers Finally Post Stolen Ashley Madison Data". Read it here.
The BBC has investigated the contents of the data dump in a report entitled, "What's in the Ashley Madison dump?". Read it here.
Stefan Nicola and Kristen Schweizer of Bloomberg News reported that the data of multiple Ashley Madison users dumped to the dark web has now been verified as authentic, in a piece called "Data from 36 million AshleyMadison accounts dumped online, hackers claim". Read it here.
Legal Press Coverage on Ashley Madison Data Breach
Jennifer Brown at Canadian Lawyer Magazine wrote a piece entitled, "Will Ashley Madison customers launch class action over hacking incident?". Read it here.
Michael Whitener, a partner at VLP Law Group in California, wrote a piece for Thomson Reuters Legal Current entitled, "Ashley Madison: There is no such thing as guaranteed data security". Read it here.
Editorial Press on Ashley Madison Data Breach
Chris Sorensen at Macleans Magazine published a piece entitled, "Ashley Madison’s Achilles heel is exposed -- and it’s not immorality". Read it here.
Farai Chideya at The Intercept published a piece entitled, "Some Dude Created an Ashley Madison Account Linked to my Gmail, and All I Got Was This Lousy Extortion Screen". Read it here.
Mary Elizabeth Williams at Salon.com wrote an article in defence of the privacy of Ashley Madison users. Read it here.
Van Badham at The Guardian wrote a piece entitled, "In Defense of Ashley Madison: Even Cheaters Deserve Privacy". Read it here.
Christina Warren opined on liability of Avid Life Media in the aftermath of the data breach in her piece entitled, "Why AshleyMadison should be the one to pay for getting hacked". Read it here.
The site is not designed to answer questions about your individual situation or entitlement. Do not rely upon the information provided on this website as legal advice in respect of your individual situation nor use it as substitute for individual legal advice.
The information collected about potential class members will assist counsel in prosecuting the class action and assessing what damages were suffered by the class as a whole. Providing the information requested does not make you the client of Charney Lawyers or Sutts, Strosberg LLP. The court will ultimately decide who will be included as a class member.
This website will be updated from time to time to provide potential class members with information as it becomes available.
Current Class Actions
“I find that the plaintiff’s counsel presented a well prepared, organized and efficient case… The medical issues were complex. It involved evidence of psychiatrists, physiatrists, orthopaedic surgeons, occupational therapists, future care specialists, vocational alternatives, forensic accounting and quantification of damages. The jury had to be presented with present valuations of past and future loss of income and projections of future care costs."
-Giordano v. Li [Ontario Superior Court of Justice, 2015]
Ted Charney represented the plaintiff in this three week personal injury jury trial securing a $900,000 verdict for chronic pain syndrome.
"Charney... is unquestionably qualified to act as counsel."
-Ison T Auto Sales v. Zurich Insurance [Ontario Court of Appeal, 2011]
Ted Charney acted for Ison T Auto Sales i.e. Toronto Honda on the appeal.
"The Whiting Group Counsel Team consists of 11 law firms from 7 provinces across Canada and includes some of the most experienced class action firms in Canada with a broad range of experience in class actions with particular expertise in product liability class actions and personal injury. Four of these law firms are in Ontario where the action will be based and includes counsel who are very experienced in class action litigation and have the resources and experience to advance this claim in Ontario or on a national scale. This fact favours the Whiting Group."
-Whiting et al v. Menu Foods Income Fund [Ontario Superior Court of Justice, 2007]
Charney Lawyers was a member of the Whiting Group and appeared as counsel on the motion to decide carriage.
"Mr. Charney conducted the Applicant's case in an exemplary and efficient manner, which was to the benefit of all concerned, his clients, the insurer and myself alike."
Ted Charney acted for the insured.