Affair site Ashley Madison has denied allegations it is not deleting customers’ data when requested.
The allegations were published on Sunday when hackers, operating under the name “Impact Team” used an unspecified method to breach Avid Life Media (ALM).
ALM is a Toronto-based company that owns Ashley Madison and a number of other “hookup sites,” such as Cougar Life and Established Men.
The attacks were designed to punish the site, which the hackers accused of charging for a bogus full-delete service, previously reported on by Ars Technica.
The feature promises to completely purge customers’ information from ALM’s database for a $US19 fee. According to Impact Team the service is “a complete lie” and doesn’t actually delete the paying customers’ information.
An Ashley Madison spokesperson denied the allegation in a statement sent to Business Insider.
“Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity,” read the statement.
“The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.”
The hackers had leaked a small percentage of the site’s 37 million users account data online as proof of their claim.
The data included users’ real names and addresses, as well as maps of ALM’s internal company servers, employee network account information, company bank account data, and salary information.
The hacker group claimed the leaked customer list includes Ashley Madison members who had paid to have their data deleted.
ALM has not confirmed how much of the data is legitimate. The spokesperson said ALM is also working to delete the leaked data and has already “successfully removed the all posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online.”
The company says it had the data removed using the Digital Millennium Copyright Act (DMCA) and various other unspecified techniques. The DMCA is US legislation that was originally designed to combat digital piracy. It lets companies block access, or mount takedown operations against sites or services hosting infringing content.
The firm added it is continuing to work with law enforcement and unnamed “forensics security experts” to find the root cause of the breach. ALM announced it was working with specialists from the security firm Cycura to plug the undisclosed security holes used by the hackers in a prior statement on Monday.
ALM declined Business Insider’s request for more details about how it removed the content.
Services like bulletproof hosting and the deep and dark web would make it difficult for ALM to completely remove its customer’s details from the internet.
Bulletproof hosting is a service offered by less scrupulous domain hosting or web hosting firms that grants customers increased freedom to upload and distribute illegal material.
In the past, Bulletproof hosts have been used for a variety of criminal purposes, including running cyber black markets, digital piracy rings and child pornography sites.
The deep and dark web are areas of the web that do not index on the public internet and, or cannot be accessed through regular web browsers. They are regularly used by criminals and dissidents in oppressive regimes to host and distribute information.