During the summer of 2015, a database containing the personal information of 33 million Ashley Madison user accounts was released to the public by a hacking collective known as the Impact Team. Among the items released were members’ login details, mailing addresses, email addresses, phone numbers, transaction details, credit card data, and user passwords. The data dump also included more salacious information like users’ photographs, sexual fantasies and preferred types of sexual encounters.
Not only did the data breach violate customers’ expectations of privacy — many of whom had been lured into believing that their use of the site would be “discreet” and “100% secure” as advertised — it also exposed the inner-workings of the website, which relied heavily on fake computer-generated messages to lure customers into paid memberships. It is alleged that “Ashley Madison caused over 20 million of these computer-generated messages to be sent to its male members, and a remarkable 80% of all first purchases made by the male members [of the website] were as a result of these computer-generated messages.” This, combined with certain disclosure and payment practices concerning messaging credits and other advertised services, helped drive the litigation that ensued.
In light of these revelations, a host of class action lawsuits have been filed nationwide on behalf of affected customers. The lawsuits typically allege that the company failed to adequately protect clients’ personal and financial information from theft; failed to respond to known security threats to its system; engaged in false and misleading advertising about the services offered and the legitimacy of other user accounts; and/or misrepresented the nature of its additional full-deletion service, which was supposed to have deleted all personal data from AM’s systems for an additional flat fee of $19.
The litigation phase of the Ashley Madison hacking scandal is now underway. The Judicial Panel for Multidistrict Litigation has consolidated the lawsuits before the Hon. John A. Ross of the U.S. District Court for the Eastern District of Missouri in St. Louis for coordinated pretrial proceedings. To date, the following lawsuits have been consolidated before Judge Ross, which gives you a sense of just how many people were affected by the data breach:
Doe v. Avid Life Media Inc et al., No. 4:15-cv-00640 (E.D. Ark.)
Does et al v. Avid Life Media, Inc. et al, No. 2: 15-cv-06619 (C.D.Cal.)
Campbell v. Avid Life Media Inc et al., No. 2:15-cv-09475 (C.D.Cal.)
Berki et al v. Avid Life Media, Inc. et al., No. 2:15-cv-08208 (C.D.Cal.)
Poyet v. Avid Life Media, Inc. et al., No. 2:15-cv-08456 (C.D.Cal.)
Alfaro v. Avid Life Media, Inc. et al., No. 5:15-cv-02295 (C.D.Cal.)
Deloach v. Avid Life Media, Inc. et al., No. 4:15-cv-00299 (S.D.Ga.)
Doe v. Avid Life Media, Inc. et al, No. 1:15-cv-07760 (N.D.Ill.)
Doe v. Avid Life Media et al., No. 1:15-cv-08270 (N.D.Ill.)
Pauly v. Avid Life Media, Inc. et al., No. 1:15-cv-08842 (N.D.Ill.)
Lisuzzo v. Avid Life Media, Inc. et al, No. 1:15-cv-11305 (N.D.Ill.)
Russell v. Avid Life Media Inc. et al., No. 8:15-cv-02693 (D.Md.)
Doe v. Avid Life Media, Inc. et al., No. 3:15-cv-00658 (S.D.Miss.)
Doe v. Avid Life Media, Inc. et al., No. 1:15-cv-07017 (S.D.N.Y.)
Doe v. Avid Life Media, Inc. et al., No. 2:15-cv-00386 (E.D.Va.)
The Moya Law Firm is following the litigation closely and will post updates as the matter progresses. For those interested in understanding the particular security vulnerabilities that may have been at play, Ars Technica wrote an excellent article in September 2015 about how the company may have been hacked.