Just about everyone has an opinion about the Ashley Madison scandal, especially those millions who unwisely trusted the adultery website with their personal fantasies and credit card details. But it’s a mistake to think this crisis is mainly about hacking and cyber security. It’s more importantly about how the company responded and why it was targeted.
Hackers are sometimes motivated by seeking notoriety; or by criminal intent to steal banking and other personal details; or by political motivation, such as the North Koreans said to have hacked into Sony to protest against a supposedly funny movie about a plot to assassinate Kim Jong Un.
However, some claim to be socially aware activists, such as the “Impact Team” who hacked into the Ashley Madison data-base. Their ‘manifesto‘ said they wanted to shut down the website for promising anonymity to “cheating dirt-bags” hoping to hook up for extra-marital affairs. But the company appeared eager to ignore or downplay this reality. Instead, they emphasised repeatedly that this was an act of criminality, even though there is little evidence that the hackers had a specific criminal intent (unlike those who reportedly tried to use the data released in order to extort embarrassed customers).
The company also stressed that “free thinking” people posting on the website were not acting unlawfully. While that statement may be true, and was evidently intended to normalize such behavior, it ignored the fact that much of the scandal revolved not around the data breach but around the morality of people using an online service to cheat on their partners, and around the company’s woeful response to the crisis.
Initially the company tried to argue that the breach was “not real” – or at least not as extensive as declared. So the hackers posted CEO Noel Biderman’s personal details and emails with the heading “Noel, you can admit it’s real now.” Then Biderman claimed to know the identity of the culprit, but no arrest followed and the company offered a $500,000 reward for information about the perpetrators. Then they advised worried subscribers to pay to delete their data (later changed to be free) even though the hackers argued that the “full delete” service was a fraud.
And none of this was helped by the company failing to properly apologise to customers or offer them meaningful advice what to do next; or by trying to present themselves as victims; or by boastful claims that thousands of new subscribers were continuing to sign on.
So what have we learned from this debacle? That it was not mainly about hacking at all, but about the company being utterly unprepared for the most obvious and predictable crisis. There was a clear warning earlier in the year, when the sex site AdultFriendfinder.com was hacked, exposing millions of accounts. Yet Ashley Madison reportedly knew their own system was also vulnerable, but took no adequate steps.
For other organisations on the outside looking in, yes of course you need to review your cyber security. But much more importantly, you need to review your whole process for crisis preparedness and for addressing your most predictable crisis risks.