The popular dating website, AshleyMadison (with the slogan “Life is short. Have an affair”) was hacked about a month ago by the Impact Team, a self-professed hacktivism group that threatens to release confidential user information if their demands to take down websites are not met. The Impact Team has now followed through on their threat by dumping almost 10 gigabytes of data on the dark net. The dark net is a part of the internet that is not accessible by normal search engines and browsers and requires a Tor browser anonymised through onion routing.
At the time of the breach it was reported that the details of nearly 40 million of its users were compromised. The file appears to include account details and log-ins for 32 million users (including 175 000 South Africans) of the site as well as seven years of credit card and other payment transaction details. The data includes contact details and amounts paid but not the actual credit card numbers, other than the last four digits of the credit cards or a unique transaction ID. According to the Impact Team, these credit card details could be used to identify individuals and link them to their accounts which contain sensitive information such as sexual fantasies.
According to the hacktivism group, they targeted AshleyMadison and its related site, EstablishedMen, due to questionable privacy and business practices and the morals the site condones and encourages. Although the company assured users that all data will be deleted for a price of $19, this data was actually retained. In addition anonymous accounts can be traced back to real names using credit card information. Releasing this data dump was part of their mission to prove that the information was not removed and that personally identifiable information was retained.
Avid Life Media, the company that runs both websites, kept both sites alive despite numerous warnings and assured customers that it had enhanced security of its networks. The Impact Team have warned that they will continue to leak data on to the dark net on a daily basis (including real names) until the sites are shut down.
When in force, the Protection of Personal Information Act (POPI) will give data subjects the right to request that their personal information be deleted or destroyed by South African processors of information in a manner that it cannot be intelligibly restored if the information is irrelevant, outdated, incorrect, misleading, excessive or if the person is no longer authorised to retain it. Where information is de-identified, it must not be capable of being re-identified.
Non-compliance with POPI could result in civil action by data subjects (or the information regulator on behalf of the data subjects), investigations and notices from the information regulator, administrative fines of up to ZAR10 million, or even imprisonment for up to 10 years or monetary penalty for offences.
Remember: in the online world, anonymous is never really anonymous.