Adultery website Ashley Madison should have been using state-of-the-art security technology and cleansed its databases of sensitive information to protect its customers, a senior associate at a leading tech law firm has argued.
The attack is the latest high-profile hack to hit the headlines and follows just months after the attack on another hook-up site, AdultFriendFinder.com.
According to Mahisha Rupan, senior associate at Kemp Little, Avid Life Media (ALM) which owns AshleyMadison.com had a legal duty to protect users' information using tools that were in proportion to the sensitivity of the material being saved.
She also said that current and former users of the site could have grounds for legal action against the owners of the site.
The hackers who attacked the site and reportedly downloaded details of 37 million users said the data contained “secret sexual fantasies, nude pictures, credit card transactions, real names and addresses as well as employee documents and emails”.
Calling themselves the 'Impact Team', the hackers have demanded the Ashley Madison site, together with the associated site Established Men, be closed down. Failure to comply could result in the hackers releasing the confidential customer information which had been exfiltrated.
Given the nature of the information stored, Rupan told SCMagazineUK.com that “it is arguable that Ashley Madison should have been using state-of-the-art security technology”.
However, Rupan said it's not clear that ALM was using the best security. “Ashley Madison is actually quite elusive about its security techniques – it only states that it will be using ‘industry standard' technologies and practices, which inevitably begs the question, what industry is being referred to?” she said. “Most individuals would expect a higher standard of security to be used by Ashley Madison than other online services.”
In fact, ALM's communication over the hack hasn't been entirely clear. There was some confusion at Ashley Madison customer service yesterday, as The Guardian reported, over exactly how many customer records had been stolen. A Guardian journalist, posing as a user, was told by several different customer service representatives that only two records had been exfiltrated. Asked about this later, a company spokesman said that customer service “might be stepping a bit too far in terms of what they're saying”.
There is also a lack of clarity over Ashley Madison's paid-for “hard delete” service. The company charged users US users US$ 19 and UK users £15 if they wanted to have all their personal details removed from the site. This included photos, profiles and copies of their messages to other users.