Why Ashley Madison's 'oh no' data breach didn't scare new users away
There once was a time when most people hadn’t heard of casual dating site Ashley Madison. That all changed in July 2015, when hackers stole sensitive customer information and posted the information on the dark web in a massive data dump, 9.7 gigabytes in size. The files included account details and logins for approximately 32 million of the dating site’s users.
One year later, the dating site is doing several things to redeem its damaged reputation, including rebranding its parent company from Avid Life Media to Ruby, bringing in a new CEO and President to lead the business, revamping their value proposition and launching their first-ever TV ad.
On one hand, I think these are good first steps for the company to take to begin to rebuild its brand reputation among its target users, the media and the public at large. But after reading through the countless news articles talking about the 'big' changes the company has made to redeem itself from last year’s data breach disaster, I couldn’t find a single reference or statement by the dating site’s new leaders about the status of that infamous 'Full Delete' service that was used to supposedly delete users’ account details. But obviously, the service didn’t do what its name purported and promised to do and the hackers were able to go back and recover those 'deleted' user account details and post them online.
As someone who’s worked in the data security and privacy space for a few decades, I am probably more sensitive to these types of matters. But considering the mayhem and public shaming that ensued for millions of users following the data breach, you would think it would serve as a red flag and cause a serious decline in the number of users that signed up for the dating site. Right? Apparently, that wasn’t the case.
According to the site’s new CEO, Rob Segal, the dating site didn’t suffer too horribly. Since July 2015, it managed to add 5 million new users and boosted its total user base to almost 46.8 million. Looking at these growth numbers, I’m both shocked and disappointed. Despite the severity of the data breach and the fact that the site misled users to believe their data had been removed, it would seem that users still aren’t taking data privacy as seriously as they should. If I were one of the 5 million users, I would not agree to sign up and hand over my personal details unless the site could definitively provide clarification on the status and use of its 'Full Delete' service and how the site verifies that data is permanently erased if/when a user wanted to close their account.
But I can also see why users may not be asking these questions. Most people just don’t know enough about data security as a whole. And most aren’t technical experts with the ability to differentiate between secure data removal methods and insecure data removal methods. And so, users often just blindly believe and trust that the companies collecting and storing their data are experts in the space and will perform the necessary due diligence in managing and protecting their data. That’s where the problem lies.
And companies don’t always have the necessary understanding or skill sets to properly manage data across every stage of its lifecycle. And because of this, they often use unreliable and ineffective data removal methods -- not because they don’t care about their customers’ data privacy -- but because they don’t have the necessary technology to remove data permanently.
Image Credit: Ashley Madison
Richard Stiennon is Chief Strategy Officer, Blancco Technology Group. He is responsible for leading the company’s overall corporate strategy, including long-term strategic planning, product positioning, public affairs, analyst relations, joint ventures and industry partnerships.