Lawyers Gear Up as Users Get Ready to Sue Ashley Madison hack reveals wider data risk
Security experts say the Ashley Madison hack shows the risk of having data online.

Operators of, the website whose slogan is "Life is short. Have an affair," have more than just the wrath of hackers to contend with.

Last week, just moments after cybercriminals posted a trove of customers' sensitive information to the dark web, law firms around the globe began posting announcements that they were starting investigations for class action lawsuits.

In some corners of the globe, lawsuits are already underway. On Thursday, two Canadian law firms filed a $578 million suit to the Ontario superior court of justice on behalf of "all Canadians" affected by the leak.

But you can expect more legal trouble for Ashley Madison; the leak is fresh and the probes still young. To better understand the potential cascade of legal actions about to hit Ashley Madison's parent company Avid Life Media (ALM), Newsweek spoke to two lawyers leading their respective firms' investigations.


The Ashley Madison hack and subsequent data dumps trigger a plethora of privacy laws, says Rabeh Soofi, managing attorney at Axis Legal Counsel, a Los Angeles–based privacy law firm. She points to myriad indicators that users had a reasonable expectation of privacy. Even the site's main photograph (a woman holding a finger to her lips), she says, suggests that customers are being provided with a discrete service.

"Most of the time when this happens, hackers accessed the information through phishing scams," says Soofi. "It tends to signal there is improper training, improper firewalls, improper authority that can be taken advantage of by outsiders with nefarious purposes." Part of her investigation will be looking for proof that the site had known vulnerabilities, but operators failed to act.

Consumer Fraud

For Phillip Kim, partner at Rosen Law in New York, the immediate focus is consumer fraud. When news of the breach surfaced last month, the responsible hackers, who go by the name Impact Team, said the impetus for their hack was a misleading profile deletion option ALM offered. According to documents leaked by Impact Team, ALM made $1.7 million in 2014 alone by charging customers $19 to remove their personal information from the website. The problem, says Kim: "It obviously didn't work because there are people out there that paid and their information was still exposed."

But the misrepresentations of the product don't end there; there are also allegations that, contrary to what was advertised, there are very few women on the site. "It is basically just the men that signed up for it," says Kim. According to an analysis by Errata Security the breakdown is about 28 million men and 5 million women. A lawsuit from 2013 by a former Ashley Madison employee appears to bolster this assessment. She claims that she damaged her wrists in the process of creating hundreds of fake female profiles. "The purpose of these profiles is to entice paying heterosexual male members to join and spend money on the website," the lawsuit reads."They do not belong to any genuine members of Ashley Madison—or any real human beings at all."


Also last month, Gawker posted a story about the married Condé Nast CFO who allegedly attempted to hire a gay porn star for a night. The Internet's collective uproar seemed to show that people weren't interested in the private lives of those that aren't public figures. With the Ashley Madison exposures, the world seems to have taken a turn, caught somewhere between fascination and repulsion.

"What is unusual about the Ashley Madison situation is that there seems to be a sentiment that the victims of this data breach are somehow deserving of having their information revealed to the public," says Soofi. She and Kim both worry that the nature of the leaks, subsequent shame and the potential impact on family and personal lives will discourage affected customers from coming forward.

It has been widely established that financial information coupled with demographic information constitutes a privacy breach, says Soofi. But what is the appropriate valuation of damages in a situation where someone's personal romantic affairs are disclosed? She says that this hasn't exactly been addressed in the legal world, at least not on this type of scale.