Ashley Madison faces $578 million Canadian class-action lawsuit.
Hundreds of US government employees — including some with sensitive jobs in the White House, Congress and law enforcement agencies — used Internet connections in their federal offices to access and pay membership fees to the cheating website Ashley Madison, The Associated Press has learned. A former employee of the Ashley Madison adultery website has claimed she was told to create hundreds of fake profiles of female “members” to entice men to join up.TWO Canadian law firms have filed a $578 million class-action lawsuit against the companies that run Ashley Madison after a hacker group’s data breach exposed some 39 million memberships in the adultery website earlier this week.At least one Knesset member is among the estimated 170,000 Israelis whose personal details were swiped and released into the wild by hackers who stole the data off the website of AshleyMadison.com, the infamous platform for married people to hook up with partners other than their spouses.
Doriana Silva, who worked at the company’s headquarters in Toronto, Canada, tried to sue the firm in 2012 after claiming she suffered repetitive strain injury (RSI) after being given a month to input 1000 bogus memberships. Charney Lawyers and Sutts, Strosberg LLP, both of Ontario, said that they filed the lawsuit on behalf of Canadians who subscribed to Ashley Madison and whose personal information was disclosed to the public. But when the personal details of millions of cheaters get posted online for anyone to download — as is the case with the recent hack of infidelity hookup site AshleyMadison.com — random blackmailers are bound to pounce on the opportunity. Now he, the other Israelis, and nearly 40 million people worldwide are scrambling to protect their identities where possible, or at least come up with logical-sounding excuses as to why they were members of a website that encouraged cheating to offer their spouses — or divorce attorneys.
They included at least two assistant US attorneys; an information technology administrator in the Executive Office of the President; a division chief, an investigator and a trial attorney in the Justice Department; a government hacker at the Homeland Security Department and another DHS employee who indicated he worked on a US counterterrorism response team. The case adds to suspicions that countless victims of an online hack of the site’s database, whose details are now publicly available as alleged users of the website, are innocent victims whose email addresses may have been bought in bulk by Ashley Madison. According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database. While many of the names and email addresses posted in the data dump appear to be false, the leak exposed everything from credit card information and geolocation data to security questions for recovering lost passwords, according to The Christian Science Monitor.
For those in Israel and elsewhere whose identities have been compromised, an Ashley Madison victims’ “first aid kit” may help mitigate the damage. “The internet never forgets, and so any piece of information (private or not, embarrassing or not) will forever be available,” wrote Dr. Silva, who is Brazilian, was recruited by Ashley Madison’s parent company Avid Life Media to help launch a Portuguese language website in her home country. The dump – which involved data linked to government officials, military personnel, top-level executives, and civil servants, among others – has since raised critical questions about the security of servers used by both government agencies and corporations as well as users’ privacy rights. “The Ashley Madison leak is about a lot more than the public shaming of philanderers. But AP traced their government Internet connections — logged by the website over five years — and reviewed their credit-card transactions to identify them.
According to court documents in Toronto: “Her allegation is that her job entailed concocting phony profiles of alluring females and inputting these profiles into the appellants’ online dating service in order to attract male subscribers.” She said she was led to believe “that doing so was some sort of a normal business practice in the industry” but found her workplace “oppressive and unethical”. They included workers at more than two dozen Obama administration agencies, including the departments of State, Defense, Justice, Energy, Treasury, Transportation and Homeland Security. Miller, noting that journalists, security experts, and others have noted that there were 15,000 .mil or .gov email addresses among those used for the site.
In a statement given in November 2013, Avid Life confirmed Silva had worked for the company for 90 days, but said her claims were “extortionary”, increasing over time from $US120,000 to $US20 million. A father of several children who’s been married for more than 10 years, Mac said his life would be “incredibly disrupted” if extortionists made good on their threats. Mac said he used a prepaid card to pay for his subscription at AshleyMadison.com, but that the billing address for the prepaid ties back to his home address. “So they have my home billing address and first and last name, so it would be relatively easy for them to get my home records and figure out who I am,” Mac said. “I’ll accept the consequences if this does get disclosed, but obviously I’d rather not have that happen because my wife and I are both very happy in our marriage.” Unfortunately, the extortion attempts like the one against Mac are likely to increase in number, sophistication and targeting, says Tom Kellerman, chief cybersecurity officer at Trend Micro.
The Impact Crew, the hacking group behind the breach, appeared to have aimed at maximizing damage to the company, based on a statement it released alongside the data dump: “It was [Avid Life Media] that failed you and lied to you. For example, hack victims are instructed to determine if they are among the more than 30 million (so far) email addresses of Ashley Madison users released to the web by searching for themselves on sites that don’t record search queries. Using a “normal” search engine like Google could be dangerous if the records of what was searched for are ever matched to an IP address and then connected to an email address. Many federal customers appeared to use non-government email addresses with handles such as “sexlessmarriage,” ”soontobesingle” or “latinlovers.” Some Justice Department employees appeared to use pre-paid credit cards to help preserve their anonymity but connected to the service from their office computers. “I was doing some things I shouldn’t have been doing,” a Justice Department investigator told the AP.
It sounds far-fetched, but better safe than sorry. “Search the email address used for AM and see if something comes up,” said Ehrlich. “To further minimize leaking more information, we recommend searching with StartPage which does not collect private information and is powered by Google. Asked about the threat of blackmail, the investigator said if prompted he would reveal his actions to his family and employer to prevent it. “I’ve worked too hard all my life to be a victim of blackmail. True, AshleyMadison.com did not always verify email addresses, but some of these AshleyMadison search services coming online will indicate whether the associated email address also has a payment record — a marker which could be useful to extortionists.
Online security experts have suggested the company could have bought bulk email addresses from marketing companies to make it appear that their membership — and their choice of possible partners — was far larger than the reality. Before you hit “submit,” stop and think before giving up your personal information to any kind of website, said Michael Kaiser, executive director of the National Cyber Security Alliance, an industry-funded group that educates consumers about cybersecurity. “Personal information is like money, and you don’t just give away your money,” Kaiser says. “In the environment we’re in right now, you have to value it and think about protecting it everywhere you go on the Internet.” That means taking a look at a website’s business to get an idea of how much they value information security and even asking them about their data retention practices.
Banks, which deal in financial information, and large retailers, who have a vested interest in getting people to shop online, are probably safer bets than a dating site. “Ashley Madison actually charges you to remove your information when you remove your account,” he says. “That’s a big clue about how they feel about your personal information.” Many consumers like it when e-commerce sites have their credit card and other information on file, or when Web browsers automatically fill in forms with their name, address and other details, says Peter Tyrrell, chief operating officer of the data security firm Digital Guardian. In many cases, the users paid an additional fee for the website to remove all of their user data, only to discover that the information was left intact and exposed.” But others point to a broader problem that sites like Ashley Madison embody: The use of customers’ data as objects to be owned. However, an old Yiddish proverb says ‘it is one thing to let the death angel take you down, and another thing to unlock the door for him and put the knot on your neck.’” The point, added Ehrlich, “is not to help cheaters — it is to help anyone whose private details have been exposed online.
The AP’s analysis also found hundreds of transactions associated with Department of Defense networks, either at the Pentagon or from armed services connections elsewhere. As related by a reader of the Sydney Morning Herald: “[The woman] books a hotel room and arranges to meet a number of men at intervals during the day; all she asks of her ‘lover’ is that he pays for the room rental; after a quick liaison, she gets rid of him […] then gets ready for the next man.” “Some sites turn a blind eye”, the reader said, “or even actively engage women to play this role, so that they can fulfil their guarantee that any man signing up to meet a certain number of ladies actually gets to do so”.
Wittkower, an author and assistant professor who teaches on philosophy of technology, digital culture, and computer ethics at Old Dominion University, said he found the practice of deleting customers’ data for a fee to be “strikingly similar to revenge porn.” To protect people in a digital environment, we need to promote legislative approaches that recognize and respect conversations, sexting, and selfies not as objects but as human activities; as asynchronous and digitally transferrable moments of a person’s life, deserving of respect and care. Adultery can be a criminal offense under the Uniform Code of Military Justice. “I’m aware it,” Carter said. “Of course it’s an issue because conduct is very important. And it means that even when a person thinks that their information has been permanently deleted, chances are there are still copies floating around somewhere. “Ashley Madison is a company with a service that’s completely predicated on privacy,” Tyrrell says, adding that characteristic sets it apart from many traditional e-commerce sites such as retailers. “Here the capital, so to speak, isn’t a credit card or consumer goods. The law firms said the lawsuit is not being brought against the hackers, who have said they attacked the website in an effort to close it down as punishment for collecting a fee without actually deleting users’ data.
The capital is personal information that if released could be ruinous personally, and financially too.” Breaches, whether they be at a major retailer such as Target Corp., a health insurance company such as Anthem Inc., or Ashley Madison, have become so common that people should give some serious thought before putting personal information online, says Caleb Barlow, a vice president at IBM’s security division. But it raises questions about what personal business is acceptable — and what websites are OK to visit — for government workers on taxpayer time, especially employees who could face blackmail. It added that law enforcement in both the US and Canada is investigating and declined comment beyond its statement Tuesday that it was investigating the hackers’ claims.