The devastating hack and leak of more than 30 million customers’ data has already done irreparable damage to extra-marital affairs dating website Ashley Madison’s reputation, leaving parent company Avid Life Media’s (AVM) future in doubt. Now, the threat of legal action could wipe the company out altogether.
A class action lawsuit is already underway against the company in Canada, while one British law firm estimates that in the worst case scenario, the legal costs could run into the billions — a figure that would prove ruinous for AVM.
Earlier this week, a hacker (or hackers) calling themselves Impact Team dumped 10GB of data online, including internal documents and the user data of more than 30 million users, ranging from financial information to sexual preferences. This has been followed by a second, larger dump on Thursday night, which reportedly includes the emails of CEO Noel Biderman.
The release has caused a huge commotion: Ashley Madison explicitly advertises itself as a service for people looking to have an affair, so the user data has potential to be reputationally damaging to those implicated. The site didn’t verify email addresses, meaning that finding someone’s details in the dump doesn’t guarantee that they signed up themselves. But more than 15,000 US military and governmental have been found, and conservative family values activist Josh Duggar has admitted to using the site after his email was discovered.
And so it begins…
The legal fallout of the leak has already begun: As CBC reports, Canadian Eliot Shore is bringing legal action against the company on behalf of all Canadians who used the site. According to The National Post, it is seeking $US750 million (£360 million) in general damages, along with an extra $US10 million (£4.87 million) in punitive damages.
According to documents leaked in the first dump, AVM had revenues of $US114 million (£73 million) in 2014 — around 90% of which came directly from Ashley Madison. (AVM also owns two other dating sites, CougarLife and Established Men. The latter was also targeted in the hack, while the former, strangely, was not.) The Canadian lawsuit dwarfs that sum.
Luke Scanlon, a technology lawyer at London legal firm Pinsent Masons, has an even more ambitious figure for potential legal costs. Ashley Madison had around 1.2 million users in the UK. If, theoretically, they all sued for distress and claimed for £1,000 in compensation then the legal bill would be £1.2 billion — 16 times the company’s revenues. It’d go bankrupt immediately.
Now, realistically, all 1.2 million users aren’t going to sue. Many would rather keep their heads down and hope that this whole thing will eventually blow over. Fox Rothschild LLP lawyer Scott Vernick told NBC that he’d “be surprised if you get a lot of traction here,” because of the embarrassing nature of the lawsuit. However, NBC also adds that an anonymous “Jane Doe” Missouri woman has also started legal action and is also seeking class-action status for her suit.
Scanlon thinks that those who do sue would have a good case: “The interesting thing about this incident is that recent court decisions in the UK have been leaning towards the view that a claim can be brought when no financial loss occurs but when a person experiences distress as a result of a data breach.”
Given that the Ashley Madison data dump contains detailed information on many users’ sexual fantasies — and that even being named in it has the potential to be highly damaging — the case for “distress” definitely looks like a strong one.
Also: Britain is just one country, with a tiny fraction of Ashley Madison’s total users. According to internal documents, AVM has customers in 46 different countries, from Venezuela to Pakistan — meaning the country could face legal battles in dozens of different jurisdictions simultaneously.
And that’s not all…
Distress is one avenue that litigators could take against AVM. Another is false claims.
Ashley Madison prominently touted a “full delete” feature that claimed to totally scrub a user’s information from the site for a $US20 fee. When the news of the hack first broke back in January 2015, Impact Team alleged that these claims were bogus, and that the service does not actually fully wipe a user’s information.
AVM vehemently denied these claims in a statement, but the dump of user information appears to show some information retained about customers who had paid for the full delete. If true, customers could sue over these false claims — and government regulators may also choose to get involved.