Nasir and Matt revisit the Ashley Madison scandal for a third time to discuss data breaches, class action lawsuits, and fraudulent accounts.
Full Podcast Transcript
NASIR: All right. Welcome to our podcast where we cover business in the news and add our legal twist. My name is Nasir Pasha.
MATT: Did you say Nasir Pasha?
NASIR: No, I said Nasir Pasha.
MATT: Well, I’m Matt Staub, but it sounded like you said Sir Pasha.
NASIR: Yes, Nasir Sir Pasha.
MATT: You’ve reached another level of royalty, I guess.
NASIR: I was at one level of royalty but I got to the next level of royalty.
MATT: Yeah, you were at one then you went to two.
NASIR: Oh, very good. Well, life is short, Matt. You should have an affair and then get caught with it.
NASIR: That’s my advice.
MATT: They cancel each other out so then you’re at square one.
NASIR: Yeah, exactly.
MATT: Well, I think that’s what a lot of men were trying to do. Well, let me step back. I don’t think any men were trying to get caught but a lot of men were.
NASIR: But, in a way, were they though? They weren’t; they were just asking for it, no?
MATT: No, they were asking for it, but we’re talking about the Ashley Madison stuff again just because we have to because there are so many things going on.
MATT: But I don’t see how any reasonable person could sign up for that and be like, “Yeah, this could definitely work out.” I mean, I don’t think they were expecting this massive leak of information or all the accounts that got signed up.
MATT: Just who are the people that were signing up with their work account?
MATT: Why would these people ever do that? I don’t really understand it.
NASIR: Exactly. There’s a lot of issues here and hopefully we get to cover it all.
One of the main things that these class action lawsuits that are coming out now, there’s one in California that’s pretty big and another one in Toronto – that’s where the company is based – and they’re suing them – not only Ashley Madison but the parent company as well. Basically, if you paid $19.00, you would get your data deleted. Apparently, they were doing some of it, but there were some accounts according to the California lawsuit that weren’t scrubbed. But, if you look at even what they did purport to scrub, in the raw data that was released, they don’t quite delete the whole email address; they just delete the first part of it which is pretty strange. And then, second, apparently, they also include the GPS location of where you’re at and what your likes and dislikes are so it is anonymized to a certain degree – at least the default is – but, even then, they say that there were some accounts that weren’t deleted at all or somehow their personal information was still identifiable.
MATT: Yeah, which is not surprising because that seems like how everything was run with this company from the get-go. I mean, one thing I thought that was funny that came out was, you know, they advertised this 70 to 30 split male-to-female which isn’t too great but, you know, it’s still decent.
MATT: Yeah, but after all this information’s been coming out, they’re saying it’s more akin to a 95 to 5 split with the 5 percent of females pretty much not even using the account.
NASIR: And then, 50 percent of that 5 percent were actually men.
MATT: Yeah, I mean, we don’t know for sure yet but what’s believed is this is what happens and I think there’s pretty good evidence of it is that Ashley Madison was just creating these fake female accounts to ramp up the numbers and now that’s just one of the many deceitful things that this company did.
MATT: Now, I mean, it’s one thing to have the data hacked into and all dumped out but, you know, that’s one problem. But now they’re really digging into the company and seeing all these other fraudulent things that have occurred. I saw some pretty sizeable numbers. I mean, the class actions alone, one suit was alleging more than $500 million in damages. I think I saw a number of over a billion dollars total with all these different lawsuits that are being thrown around.
NASIR: Which is a problem. We talked about, you know, when we last talked about this, I was struggling to figure out, like, how do you do a class action? Because, I mean, that seems to be the next thing to go, and this was before a lot of this data was even released. I mean, when we first covered this, it was posted but only some of it was posted and they were pretty successful in getting this data down. But then, I think last week it hit hard and then the next day the CEO emails were released which, by the way, I don’t know if you saw that. Some of the CEO emails basically – surprise, surprise – show that he was having a couple of affairs or something like that – something to that effect. Not too surprising. But do you know how we found out about these fake profiles? It’s a couple of ways. There was a former employee claimed she made hundreds of fake alluring female profiles and so that’s one source. And then, there was also this other lawsuit with a former employee or contractor that basically was hired to do the same thing. Apparently, from what I can see and what’s being alleged, this was a pretty common thing for them to do.
MATT: And that would make sense, looking at their 70-30 claims versus the 95-5 that we’re seeing now. And so, like I said, that’s one thing.
NASIR: One thing is I think the next kind of hammer to fall on Ashley Madison, I mean, these class action lawsuits are enough, but I think the FTC has to get involved at this point. I mean, there’s just too much information there that is just, you know, it’s becoming more and more revealing and likely that a lot of the things that they said they were supposed to do, they did not do. They mishandled information and data. For example – and this is maybe unrelated to the FTC – in California, one of the allegations was they didn’t notify the users of the breach soon enough which is kind of maybe probably a technical glitch because I’m sure everyone heard about it. It’s been on the news for the past every day for the past few weeks. But it seems as though Ashley Madison, I think when we first talked about it, we were like, “Well…” I think you even mentioned that, “Well, this might be the end of the site,” but then you kind of took that back a little bit because, well, it’s going to survive. There’s been many other sites that have survived. But what do you think now? After all these things that have gone through, is this the last we’ve seen of Ashley Madison?
MATT: I would guess it’s probably the last. I mean, it still might be around. Well, actually, if the FTC gets involved like you’re saying then, yeah, I think it’s probably game over. But, in terms of a similar site, I wouldn’t be surprised if… well, there are probably already ones that are out there but, you know, I think something similar could easily pop up and, you know, remain. But, yeah, like you said, I agree with you; the FTC looks like they’re going to get involved. I mean, you know how it is, especially when something gets this much publicity, the target keeps growing larger and larger on the back and eventually all these different agencies are going to come in and really just wreak havoc. The CEO is probably done. He’s looking at some jail time, I would guess.
MATT: I guess the most surprising thing – and you mentioned it briefly earlier – is how many people are stepping forward to help out this class action because I think I said, “No one’s going to come. I mean, that’s going to be the biggest problem if there’s a data leak, like, who’s going to come out and say, ‘Yes, I was affected by this so I should benefit.’”
NASIR: I also remember I also said, like, “How do you notify the class?” but I realize – and I talked to a class action attorney about this, by the way – basically, what’s very common is that, you know, just like the Red Bull thing, right? When we submitted our Red Bull request and we still haven’t gotten that settlement yet.
MATT: Not yet.
NASIR: I’m pissed off about that but that’s a different issue. We actually had to go to a website and say, “Hey, we bought some Red Bull,” and that’s it. That might be a way to do it. Okay, you put in your information and they verify it and so forth somehow that you’re part of this list of users and then collect your funds. But the biggest problem with the class action is that how do you prove damages? I think that’s going to be the tough part. For example, the data breach or whatever, the privacy and so forth, I think mostly it’s going to be the $19.00 they may have paid, that’s going to be the easiest damages. But if the class action is more along the lines that, “Hey, you ruined my marriage,” that is going to be a tougher one to settle or get past a class action certification.
MATT: Yeah. I mean, it’s always easier when there’s numbers involved and that’s what they’re targeting. I mean, the argument of “yeah, you’ve ruined my marriage.” I want to say something about the point you just made. Like, with the Red Bull, someone could have not drank a Red Bull during that time period that they put out there and they could still get the two Red Bulls. No one who didn’t register on the site is going to say, “Oh, yes, I did register. I want my money,” because then you get a check in the mail.
NASIR: From Ashley Madison. “What’s this?” Well, to be fair – and people have mentioned this, too – the people listed on the site and their email addresses that may still be public because they didn’t pay that $19.00 for example, it doesn’t mean they had an affair. It just means that maybe they were seeking an affair or like this other reporter that we covered – I forget if we covered him but it was a couple of years ago, I think in 2013 or so, this reporter went “undercover” to register Ashley Madison to do a cover story on it.
MATT: Of course.
NASIR: I wonder how it actually started, you know. It’s like, “Oh, honey, I’m just doing research,” right? When he’s searching the site.
MATT: Yeah, exactly. That’s a nice little backstory but, you know, this all kind of started with I think it’s called the Impact Team.
MATT: They call it these black hat groups but basically it’s people that are trying to right some wrongs and it’s all based on hacking in and doing things from there. But, usually, what happens is they’ll just do it unannounced. But it looks like, in this instance, they clearly announced something beforehand – this cyber-attack – and I think they did the same thing with Sony a few years back. But, as a business owner, you know, unless your business is – well, probably a couple of things – unless your business is morally or ethically questionable and then also you’re big enough to garner attention, you probably don’t have to worry about this. But, you know, it is a situation maybe that someone tries to leverage something – and I use the word “leverage” and not “extort” – but I would take the stance as a business owner with some of these, if this would happen to me, a bigger company would put that aside but, if I had a smaller business and someone tried to come after me for a similar thing, I’m probably just not going to do anything, I guess.
MATT: Or maybe, if it was really bad and I was concerned about it, maybe try to settle something silently so it doesn’t become public.
NASIR: Yeah. You see, in other cases like Target, Home Depot, and these big retail stores, there’s been really big hacks, right? That have had their data leaked. A lot of times, when it comes to consumers, it’s like, “Okay, my name and my credit card information and maybe the type of soda I buy is now public information.” That’s not as big of a deal. But, when you’re dealing with these kinds of sensitive situations and so forth, then it becomes: “Okay, great.”
Let me talk technically here for a second. I really feel that, eventually, we’re going to lead to a point, especially when technology can keep up with it, where all this data that is stored in databases are fully encrypted. What I mean by that is a lot of this text or information that is stored in databases – like your password, for example – is encrypted. This is good programming. Most software online is like this. If you design a site and you have access to the back-end, you still may not have access to all the passwords because the passwords themselves are encrypted through hashes what they’re called or hashes and I don’t want to sound stupid amongst my tech friends so I’m just going to stop there but the point is that when this data is released, these databases are released, oftentimes, when people say that the most common password is “12345” or whatever, sometimes it’s because they find the passwords were not encrypted or sometimes they are and you can always backwards. So, if you put in “1234” and then encrypt it and get the same key as what’s in the database, then you know it’s a match. That’s why, if you pick more complicated passwords, it’s different.
Here’s my point. When it comes to compliance with standard security standards, it’s going to be more leaning towards encrypting the entire database, including all these details, including credit card numbers, including your email addresses, because it’s going to be harder and harder to prevent these kinds of attacks and that’s going to become the standard. But the problem why people don’t do that now is because it hogs a lot of resources because, every time you access the database, it has to be decrypted. That was long-winded, I know.
MATT: Can you repeat that?
NASIR: Yeah. Yeah, I’ll repeat that. The bottom-line is programmers should be listening to this because, if they’re able to solve that problem of how to encrypt and decrypt which I’m sure they have already but it just hasn’t gone widespread yet, I really think it’s going to get to a point where, if you don’t do that, then you’re negligent, then you’re falling below the standard of care for which you need to do secure data.
MATT: You know, one thing that’s pretty unfortunate and I think these would be separate lawsuits are these people that I guess there’s been some suicides that have been linked to this hack.
MATT: And so, those families are definitely going to come after. If there’s any money left, they’re definitely going to go after Ashley Madison. I don’t know if they’ll win but that’s another level.
NASIR: Yeah, that is another level and there’s been a lot of stories like that – suicides, people coming out that “Ashley Madison ruined my life” – and it is interesting because I do see a lot of people online just don’t have the sympathy that maybe some people think that they should have in some of this stuff.
MATT: You know, I just realized too that what you started off the show with, I didn’t realize that was their slogan.
NASIR: Oh, you didn’t?
NASIR: Yeah, it’s the stupidest – well, my opinion – the stupidest slogan ever. I mean, “Life is short. Have an affair.” It’s comical, you know?
MATT: I just thought you made that up. It makes a lot more sense now.
NASIR: I was going to say maybe you thought I was more clever than I was but it wasn’t that clever in the first place.
MATT: Yeah, fair enough. Well, now for the second to the worst slogan of all time – keep it sound and keep it smart.