The website Ashley Madison promised its customers “discreet” affairs; a counter on its website boasts more than 38 million “anonymous users.” But many of those users aren’t quite anonymous anymore. The company confirmed a data breach last month and now hackers have publicly posted the oh-so-private information of many of Ashley Madison’s users.
John Kindervag, a security analyst with Forrester Research, says these kinds of hacks are almost inevitable, as there’s no shortage of targets.
“I don’t think cyber criminals are out there wondering, 'How will I ever get into certain companies?'” he says. “I think they’re just, like, overwhelmed, and go, ‘Well, we don’t have time to breach every company.’”
Michela Menting with ABI Research says, “I think it’s idealistic to say you can provide absolute privacy.”
She says that's a tough line to toe for companies that are premised upon privacy, such as Ashley Madison, but also less risqué businesses like health insurers, human resources departments, photo storage sites, etc.
“It’s maybe something [companies] don’t want to push forward: ‘It’s not a 100 percent secure. These are the risks. We can’t guarantee absolute protection,” Menting says. "They're difficult concepts to reconcile."
“These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives,” Ashley Madison said in a statement responding to the posting of user data. “Regardless, if it is your private pictures or your personal thoughts that have slipped into public distribution, no one has the right to pilfer and reveal that information to audiences in search of the lurid, the titillating, and the embarrassing.”
But just as credit cards and social security numbers have value, so does more sensitive information.
“It could be used to impersonate you; it could be used to embarrass you, to trick you into revealing even more information about yourself or scam you in some way,” says Susan Grant at the Consumer Federation of America.
Additionally, unlike a credit card number that may be easily replaced, Grant says, when personal information is leaked, there’s really no way to undo the damage.