skip to main content

AshleyMadison Data Breach

On July 15, 2015, the news media began reporting that AshleyMadison.com was hacked. On August 18, 2015, the media reported that 9.7 gigabytes of AshleyMadison's user data was posted onto the darkweb. This included the personal names, addresses, phone numbers, email addresses, and login details for over 32 million AshleyMadison users. Current and former users are concerned that their personal, private information has been or will be publicly accessible.

On August 20, 2015,  Charney Lawyers and  Sutts, Strosberg LLP launched a national class action against the owners and operators of AshleyMadison.com. This lawsuit was filed in Toronto on behalf of all residents of Canada who subscribed to the website. The plaintiff claimed $760 million in damages. You can review the press release here. On August 25, 2015, the same law firms filed a class action in Montreal on behalf of all Quebec residents who subscribed to Ashley Madison.

The Office of the Privacy Commissioner of Canada (“the Privacy Commissioner”) and the Office of the Australian Information Commissioner have jointly investigated Ashley Madison. On August 23, 2016, the Privacy Commissioner released a report highly critical of the website’s security measures and business practices, including violations of federal privacy laws. These findings may assist in prosecuting the class action against the corporate owners of Ashely Madison, Ruby Corporation (formerly Avid Life Media Inc). Below is a summary of some of the interesting findings of the Report. You can read the complete report here.

Canadians in every province, including Quebec, are encouraged to reach out and participate in this action.

WARNING: Fraudsters are now sending emails to AshleyMadison users asking them to pay money to join a class action. This is a scam. Do not pay them. Do not provide them any personal information. To date, Charney Lawyers and Sutts, Strosberg LLP are the only Canadian law firms prosecuting a class action against AshleyMadison. We only take your personal information by phone. No money changes hands.

Why Privacy Matters

Invasions of privacy can have serious consequences – to your home life, to your reputation, to your career. The AshleyMadison privacy breach is particularly troubling given the nature of the website and the kinds of user information it contains.

In a recent press release, Ashley Madison said:

We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.

We’re not convinced. AshleyMadison said that they are aware of an “attempt” to “gain access” to their database systems. But we know there was more than an “attempt”. We know the hackers entered the AshleyMadison database and posted a banner on the website's front page announcing the successful web attack. Here is a snippet of the banner:

In addition to user information, there are also reports from credible sources that the Impact Team also obtained maps of internal company servers, employee network account information, company bank account data and salary information. By all accounts, this appears to be a significant data breach.

AshleyMadison needs to answer serious questions. What kind of security measures were in place? How secure were those measures? Did they abide by standard industry practices? Did they take special precautions given the nature of the website and its promises of discretion? Were company insiders involved? Who in the company had access to their systems?

Further Background on AshleyMadison Privacy Breach

AshleyMadison.com is a dating website for people interested in having extra-marital affairs. Their now infamous slogan is “Life is short. Have an affair.” Avid Life Media claims to have over 37 million users worldwide, many of whom are in Canada. AshleyMadison.com is owned and operated by Toronto-based corporations called Avid Life Media Inc. and Avid Dating Life Inc. Its President and CEO is Noel Biderman, who touts himself as the " King of Infidelity". They also operate another website called EstablishedMen.com and other similar websites.

The hackers call themselves Impact Team. The hackers initially threatened to publish user’s personal information. Thirty days later, they released user data on the dark web. Other websites then made the data accessible to the public online. Charney Lawyers is not considering bringing claims against the Impact Team hackers.

Various industry experts are indicating that the user data is authentic. Ashley Madison has claimed to be cooperating with investigations by the Toronto Police, RCMP, OPP and FBI.

On most social media websites, users may deactivate their accounts. This does not necessarily mean that user’s data is deleted. In most cases, the data remains on the website’s systems. AshleyMadison offered to permanently delete user information in exchange for fee. This is called a “hard delete”, “paid delete” or “full delete”. User’s real names, addresses and message history were supposed to be removed. You can read more about the paid delete options at AshleyMadison on ArsTechnica.com.

The hackers claimed that AshleyMadison collected these fees but did not delete the information. The hackers said they attacked the website in an effort to close it down as punishment for collecting a fee without performing the hard delete. The hackers announced that if the sites were not closed, the personal data would be released. On August 18, 2015, they appeared to have done so.

In a  recent press release, Avid Life Media refuted these accusations about the paid delete:

the 'paid-delete' option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity.

Numerous individuals have contacted Charney Lawyers claiming to have paid for the "full delete" option, only to find that their data was never deleted and later exposed in this privacy breach.

In any event, various experts criticized the paid delete option as unethical. Following the hacking scandal, the Toronto Star reported that AshleyMadison has now promised to delete user information for free.

In late July, it appeared that only a small amount of AshleyMadison user data has been leaked. The Guardian Newspaper reported that at least two people had been exposed. The National Post reported that a Toronto-area man was exposed. As of August 18, 2015, it appears that millions of users' private information has been posted to the dark web. Immediately thereafter, this information was made accessible to the public. It has now been copied innumerable times across the internet and is unlikely to ever be removed.

Fake Female Profiles

AshleyMadison claimed to have over 5.5 million women members. However, it has been reported that the vast majority of AshleyMadison’s female profiles are fake. Following this month’s privacy breach, innumerable analysts have been processing the data and making revealing discoveries.

The in-depth analysis of Annalee Newitz, Editor-in-Chief of technology website, Gizmodo, indicates that fewer than 12,000 female profiles are legitimate.  Read the Gizmodo analysis here. The UK's Independent newspaper reported on the analysis here.

Corroborating this allegation is the 2013 lawsuit of Doriana Silva who sued the owners of AshleyMadison claiming that she incurred repetitive stress injuries to her hands after being instructed to create 1000 fake female profiles in three months. Her task was to create Portuguese profiles to attract more users from Brasil. The claims were later settled out of Court. Read a  preliminary motions decision here. Read a  report by Business Insider here.

Office of the Privacy Commissioner of Canada

The Office of the Privacy Commissioner of Canada (“the Privacy Commissioner”) and the Office of the Australian Information Commissioner have jointly investigated Ashley Madison. On August 23, 2016, the Privacy Commissioner released a report highly critical of the website’s security measures and business practices, including violations of federal privacy laws. These findings may assist in prosecuting the class action against the corporate owners of Ashely Madison, Ruby Corporation (formerly Avid Life Media Inc).

The compromised data includes account login information, user profile information (postal code, username, personal descriptions including sexual practices and fantasies) and billing information (users’ real names, billing address, partial credit card numbers). Other information including pictures, full credit card numbers and messages between users may have been compromised.

The Privacy Commissioner found that Ashley Madison collected highly sensitive personal information. The website users’ “physical and social well-being [was] at stake, including potential impacts on relationships and reputational risks, embarrassment or humiliation.” The Privacy Commissioner noted that potential reputational harm is “a high-impact risk as it can affect an individual’s long term ability to access and maintain employment, critical relationships, safety, and other necessities depending on the nature of the information held.”

Federal laws required Ashley Madison to implement “commensurately high” security measures to prevent loss, theft, unauthorized access, disclosure, copying or modification of user’s information.

Ashley Madison failed to implement even “basic organizational security safeguards” such as documented information security policies or practices for managing network permissions. They failed to implement “commonly used detective countermeasures” to monitor attacks, as well as intrusion detection systems, intrusion prevention systems, event management systems or loss prevention monitoring systems. Unusual logins to Ashley Madison’s systems were not tracked or reviewed, and many instances of unauthorized access immediately preceding the attack were only recently discovered. Ashley Madison did not have a documented risk management framework to identify risks and take appropriate actions. Ashley Madison failed to implement multi-factor authentication to access Ashley Madison’s systems remotely, which is a “commonly recommended” industry practice.

Ashley Madison “could have reasonably foreseen” that leaks of their users’ identifying information would have “significant adverse consequences” for those users because the website caters to people seeking extramarital affairs. Ashley Madison executives admitted that discretion was central to their business and the website contained numerous promises of security including “a medal icon labelled ‘trusted security award’, a lock icon indicating the website was ‘SSL secure’ and a statement that the website offered a ‘100% discreet service’.” Nevertheless, Ashley Madison failed to implement safeguards appropriate to protect highly sensitive information.

The Privacy Commissioner is harshly critical of many of Ashley Madison’s practices, including the following:

  • no documented information security policies or practices
  • no explicit risk management process — including assessments of privacy threats and evaluations of security practices
  • inadequate staff training to ensure staff understood and carried out appropriate security practices

The Privacy Commissioner also criticized Ashley Madison for:

  • Retaining personal information of users who had deactivated or deleted their accounts
  • Charging money to delete user accounts
  • Failing to verify accuracy of user email addresses before collecting and using them
  • Lack of transparency with users about data handling practices

IMPORTANT NOTE:

The site is not designed to answer questions about your individual situation or entitlement. Do not rely upon the information provided on this website as legal advice in respect of your individual situation nor use it as substitute for individual legal advice.

The information collected about potential class members will assist counsel in prosecuting the class action and assessing what damages were suffered by the class as a whole. Providing the information requested does not make you the client of Charney Lawyers or Sutts, Strosberg LLP. The court will ultimately decide who will be included as a class member.

This website will be updated from time to time to provide potential class members with information as it becomes available.