Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Friday, March 29, 2024 | Back issues
Courthouse News Service Courthouse News Service

Class Sues Ashley Madison for Data Hack

LOS ANGELES (CN) - Online affair liaison Ashley Madison exposed users' private information to theft by not protecting it with adequate security, a class of subscribers claims in court.

John Doe sued Ontario companies Avid Life Media and Avid Life Dating dba Ashley Madison in Federal Court on Friday.

On July 20, a group of hackers called Impact Team breached Ashley Madison's subscriber database and downloaded personal and financial information belonging to the site's roughly 37 million customers, according to the complaint.

"The website stores ... users' login details, mailing addresses, email addresses, phone numbers, payment transaction details, credit card data, and passwords. Importantly, highly sensitive user profile data such as photographs and sexual fantasies is also stored in the website," the complaint states.

Impact Team threatened to release the subscriber information unless Ashley Madison shut down the site. When it refused, the hackers made good on their threat and publicly dumped 9.7 gigabytes of subscribers' personal data on Aug. 18, including information from people who had paid the site $19 to delete their profiles, according to the complaint.

"Needless to say, this dumping of sensitive personal and financial information is bound to have catastrophic effects on the lives of the website's users," the complaint states.

AshleyMadison.com is a dating website geared toward people in marriages or committed relationships who want to engage in adulterous behavior. The pay-to-play service markets itself to adults in 46 countries and raked in around $115 million in profits in 2014, according to the complaint.

When setting up an account, users must submit their own personal information, such as birthday, height, weight and ethnicity, as well as an email address and the type of affair sought. They can also fill out sections on sexual fantasies and personal interests and upload a "discrete" photo that can be blurred or altered to include a mask over the person's eyes, the lawsuit states.

Though the site stored people's data in "an unencrypted format at the database level," it assured subscribers that their private information would never be revealed. The site was so sure of its security protection that it "published on the Internet a statement calling itself the 'last truly secure space on the Internet," the complaint alleges.

Doe says he believed those assertions when he set up his account, uploaded photos, and provided his credit card information in March 2012. But Impact Team's breach of the database proved that Ashley Madison's security protection was a sham, he claims.

"The massive data breach could have been prevented had defendants taken the necessary and reasonable precautions to protect its users' information by, for example, encrypting the data entrusted to it by its users on a database level so that any information hacked and downloaded appeared in the encrypted format," the complaint states. "Defendants were aware or should have been aware of the need to secure users' information, especially in light of the recent rise of massive security breaches on the Internet and the fact hat the information contained on its servers is particularly sensitive."

Adding insult to injury, Ashley Madison did not inform Doe, whose account was one of the ones made public in the data dump, about the breach or the extent of the breach, he claims.

Having their private and embarrassing personal information exposed for the world to see has caused Doe and other subscribers "mental anguish, disability, loss of capacity for the enjoyment of life, and expense of medical care and treatment," the lawsuit states.

The site should have known that subscribers would consider its inability to properly protect their privacy as "highly offensive," the complaint adds.

Ashley Madison said in a press release that it launched its own investigation into the data breach while also cooperating with Canadian authorities. The site says it is scouring the Internet for subscribers' personal information and removing it once the validity of the information is determined.

"This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society," the press release states. "We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law."

The company did not immediately return a request for comment from Courthouse News.

Doe's lawsuit seeks class certification, disgorgement, restitution and statutory and punitive damages for infliction of emotional distress, unfair competition, invasion of privacy, breach of implied contract and conversion. The class is represented by Julian Hammond, who also did not immediately return a request for comment.

Thousands of government employees' names were among those allegedly revealed in the data dump, including hundreds from the armed forces. Several addresses also allegedly belong to people connected with Harvard and Yale universities, the United Nations and even the Vatican, according to a Daily Mail report.

Several people whose names were released, including a married British politician, claim they never used the site and including their email addresses in the data dump was a smear campaign against them, the Daily Mail reported. Former reality television star Josh Duggar was allegedly included in the published information.

The data dump has also apparently spiked demand for private investigators to look into possible cheaters, according to CNN.

In an interview with technology news site Motherboard, Impact Team claimed the Ashley Madison hack was simple because there was little to no security to bypass.

The group claimed they had been hacking the site for a couple years before the July 20 breach. They said they targeted the site because it makes "$100,000,000 in fraud a year" and likened it to "a drug dealer abusing addicts," according to the Motherboard report.

When asked if group planned on hacking any other sites in the future, Impact Team told Motherboard they would target "companies that make [hundreds] of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total."

Avid Life Media announced Monday that it is offering a reward of $500,000 CDN, or about $376,000 USD, to anyone with information leading to the identification, arrest and conviction of those responsible for the data breach.

Categories / Uncategorized

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.

Loading...