Hacks can hurt businesses badly, but usually not fatally. Ashley Madison could prove the exception.
This is a whopper of a hack. It hit a particularly vulnerable company in its sorest spot. Here are three big challenges the site will have to overcome to survive.
1) Lack of trust
Hackers exposed 32 million Ashley Madison customers’ names, credit card numbers, emails, home addresses and sexual preferences.
That means the dating website for cheaters failed at the very thing its business was built upon: letting customers have secret affairs.
The hack has also revealed that nearly all of Ashley Madison’s customers were men — 90% to 95%, according to experts who analyzed the leaked documents. Most of the “women” listed on the site were actually fake accounts created by scammers.
Plummeting trust in the brand will almost certainly scare customers away. Avid Life Media, Ashley Madison’s parent company, declined to comment on customer retention after the hack.
On its website, the company displays a running count of “anonymous members.” It now shows 39.2 million members, up 400,000 from when the hackers made the customer details public on Tuesday.
But that growth probably won’t last.
“This hack struck at the heart of the company’s business model, which was ‘trust us with your confidential information and we’ll keep it that way,'” said Craig Newman, chair of the privacy and data security practice at law firm Patterson Belknap Webb & Tyler. “You’ve got this undercurrent of a morality play, but the reputations of a lot of innocent people that stand to be tarnished.”
The company says it will work to make its site more secure.
“We continue to devote significant resources to our security protocols and systems and we continue to support our customers around the world,” a company spokesman said in a statement.
But that’s akin to closing the barn doors after the horse has escaped.
2) Secrets are out
The unidentified hackers, who call themselves the “Impact Team,” have also released gigabytes of business critical information about Avid Life Media, including the company’s bank account numbers and passwords, employee payroll information, the CEO’s corporate emails and even the website’s source code.
The exposure of the company’s secret internal documents are grist for copycats. Infidelity will continue to take place long after Ashley Madison, and another site waiting in the wings will be looking to capitalize on Ashley Madison’s struggles. Ashley Madison’s source code could make it easier for another site to quickly adopt the secret sauce that made the company a success.
And of course the leak of embarrassing internal emails could make things even worse.
Earlier in the week, the hackers released stolen data that included the CEO’s emails and other internal documents. But some of the file was corrupted, so the public wasn’t able to analyze its content. On Friday, the hackers made that information public again, fixing the corrupted file.
According to David Kennedy, chief executive of cybersecurity firm TrustedSec, the file contains emails from Avid Life Media’s CEO and internal company data.
3) Lawsuits
Another problem for Ashley Madison will be the inevitable slew of lawsuits coming from exposed customers.
Ashley Madison is successful, but fending off a class action suit from millions of customers would be expensive. It recorded $115 million in sales and a $55 million profit last year, according to documents the company shared with Forbes.
Class actions are a virtual certainty in hacking cases such as this, and it’s not too much of a stretch for customers to prove that they were harmed by the outing of their information. Some customers might choose not to file a lawsuit against Ashley Madison, because it would expose them to additional public scrutiny. But they’ve already been “outed” by the hackers, and many might choose to go after the site anyway.
This is what two Canadian law firms, Charney Lawyers and Sutts, Strosberg LLP, are banking on. The firms say they have filed a $760 million suit against ALM. The lead plaintiff in the suit is described as a “disabled widower” who briefly joined the site after the death of his wife but never met anybody in person.
Avid Life Media says it was the victim of a crime, and it will likely make the argument that it did everything it could to protect customers’ privacy. It’s still not clear exactly what — if anything — Ashley Madison could have done to prevent the hack.
If the hackers’ identities are ever revealed, the company will probably sue for damages. ALM says it is working with law enforcement, including the FBI, to determine who hacked the company.
But its customers were from all over the globe, and each country has its own privacy laws that Ashley Madison will now have to grapple with.
“The company is faced with a daunting legal situation,” said Newman. “All of this confidential information is now out there for anyone to see. It puts the company in an untenable situation. From a legal perspective, it’s like quicksand.”
Sony Pictures endured a very similar kind of hack last year. But it is in the business of making movies, not keeping information secret. And it is a far bigger company than Ashley Madison. Though its hack was extremely disruptive to its business operations, and the head of the company was ultimately ousted, Sony’s success is still pinned to whether or not it can sell tickets at the box office.
The hackers said they wanted to destroy Ashley Madison, taking down the company. It looks like they will accomplish that goal.