Ashley Madison Faces Multiple Suits Seeking More Than a Half-Billion Dollars
by M. Alex Johnson
AUGUST 25, 2015
At least five lawsuits seeking class-action status have been filed over the hack of cheat-on-your-spouse website Ashley Madison, seeking more than a half-billion dollars, according to North American court records.
Four federal suits had been filed in the United States as of Monday, all of them obtained by NBC News — two in California, one in Texas and one in Missouri. All allege breach of contract, negligence and violation of various state and privacy laws by Ashley Madison and Avid Life Media LLC., its Canadian parent company.
None of the suits has yet been certified as a class action covering the reported 37 million members of Ashley Madison, whom they characterize as having suffered humiliation and harassment over the reported publication of delicate personal information — including credit card data and, in some cases, photos and sexual fantasies — by hackers calling themselves Impact Team.
The data purportedly published by Impact Team has yet to be independently confirmed as authentic.
The plaintiffs are all anonymous, filing under the names John Doe or Jane Doe. As is common in the preliminary stages of prospective class-action litigation, none of them make specific requests for damages. But all say reasonable penalties would exceed $5 million.
The fifth case is different. Filed last week in Canadian federal court, it seeks $573 million and class-action status in behalf of a named plaintiff, identified as Eliot Shore.
In the suit, attorneys for Shore say their client briefly joined Ashley Madison after his wife died of breast cancer. It says Shore never met with any of the site's members and stresses that he never cheated on his late wife.
Lawyers in one of the cases, filed Friday in U.S. District Court for the Northern Texas District, specifically allege that Ashley Madison and Avid Life should have known about vulnerabilities in their computer systems — because they'd been warned about them.
The suit alleges an internal company file included in the hack lays out multiple "technical issues that could lead to a data breach occurring, as well the legal problems that may come with that."
According to the suit, the document specifically notes that customer data were at risk of being exposed by phishing — in which an employee is conned into revealing protected information — and by an attack called SQL injection, in which malicious requests are entered into a database to force it to dump its data.
The suit also says at least two other Ashley Madison employees filed similar memos warning of weaknesses "allowing hackers access to our user data."
The bad news doesn't end there. Earlier Monday, computer security journalist Brian Krebs, who broke the story of the original hack, reported that his review of materials published by Impact Team found emails appearing to be from the company's chief executive, which suggested that the company itself hacked a competing dating service run by sex website Nerve.com in 2012.
According to Krebs, Ashley Madison's chief technology officer at the time told his chief executive that he'd been able to gain access to "their entire user base."
"Also, I can turn any non-paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.," the official wrote, according to Krebs.
Representatives of Ashley Madison and Avid Life didn't immediately return NBC News' requests for comment Monday night. Krebs said they declined to respond to him, too.