Advertisement

SKIP ADVERTISEMENT

Ashley Madison Chief Steps Down After Data Breach

The Ashley Madison founder Noel Biderman in Hong Kong in 2013.Credit...Bobby Yip/Reuters

In the last two years, online attacks have led to executive casualties at prominent companies like Sony Pictures Entertainment and Target. Now add to the list the chief executive of the company operating the adultery website Ashley Madison, a lesser known but far more salacious victim.

Avid Life Media, the parent company of Ashley Madison, announced that its chief executive, Noel Biderman, stepped down on Friday, more than a month after hackers broke into the company’s computer systems and released data and emails that suggested it engaged in questionable business practices.

The breach of Ashley Madison, an online service that facilitates extramarital affairs, resulted in the leak of personal information attached to more than 30 million accounts, including those of 10,000 American government officials, a handful of celebrities, a few clergymen and, apparently, very few real female profiles. Leaked emails also showed that the company may have hacked into the computer networks of its competitors.

Mr. Biderman is the latest executive to have left a company — voluntarily or involuntarily — after a network breach. Amy Pascal stepped down as Sony Pictures Entertainment’s co-chairwoman in February after hackers released stolen data, including many embarrassing emails. In 2014, Target’s chairman and chief executive, Gregg Steinhafel, a 35-year veteran of the retailer, stepped down months after a huge breach resulted in the theft of 40 million customers’ payment details.

Those ousters have made security a priority among executives. According to a survey by the Ponemon Institute, which tracks data breaches, only 13 percent of senior management said their concern about a data breach was extremely high before the breach at Target. That jumped to 55 percent after the incident.

“There’s less forgiveness,” Larry Ponemon, the founder of the Ponemon Institute, said in an interview on Friday. “The board is more concerned now than it has ever been with preserving the reputation of a company after a data breach. If the C.E.O. has to leave the company as a result, that’s the cost of doing business.”

A statement from Avid Life Media said that Mr. Biderman was no longer with the company, effective Friday. “This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees,” the statement said. “We are actively adjusting to the attack on our business and members’ privacy by criminals.”

Mr. Biderman also created the companion sites Established Men, which targeted women looking to meet wealthy men, and Cougar Life, a service for older women.

When hackers leaked Ashley Madison’s data this month, they accused the company of fraudulent business practices, like overstating how many women actually used AshleyMadison.com. One analysis showed that of the site’s roughly 34 million users, only 15 percent were female, and that only a small slice of those profiles were actually active.

That could constitute a deceptive trade practice that could open Avid Life Media to an investigation by the Federal Trade Commission. And if the F.T.C. can prove Mr. Biderman was aware of the fraudulent practice, participated in it and benefited from it, the commission could pursue him as well, said Marc Zwillinger, a founder of ZwillGen, a law firm that specializes in data breach cases.

Mr. Biderman did not respond to a request for comment. Avid Life Media said it would not help arrange any interviews as he is no longer with the company.

After releasing customer data, hackers last week dumped a second, 30-gigabyte data archive of Mr. Biderman’s emails. Among the emails posted was a 2012 exchange with Raja Bhatia, who was the company’s technology officer then but who has since departed, in which Mr. Bhatia said he had exploited a security hole in a competitor’s website, nerve.com, that allowed him to download and potentially manipulate the site’s user data. Emails show that Avid Life Media planned to offer $20 million to acquire nerve.com and flirt.com, a second website, but ultimately decided against the acquisition.

Mr. Bhatia’s emails now seem prescient. “There will be an eventual security crisis amongst one of your properties and the media will leap on it as they always do,” he wrote in one leaked email.

Prosecutors could use information from the leaked emails to charge Avid Life Media’s executives under the Computer Fraud and Abuse Act, which makes it a crime to enter computers or take information from them without authorization, Mr. Zwillinger said. The operators of nerve.com and flirt.com could also sue for civil penalties, he said.

And then there are the class-action suits. The hackers accused the company of charging customers a $19 fee to delete their accounts, but the information posted by the hackers show that customers’ data still lingered on the site. That could constitute breach of contract, said Randy V. Sabett, special counsel at the law firm Cooley in Washington.

At least four lawsuits have already been filed in the United States against Avid Life Media. In Canada, two law firms have filed a class-action suit against the company on behalf of a Canadian widower who is suing the company for $578 million. He said he briefly joined the site after his wife died of breast cancer.

Mr. Ponemon said his firm had found that the cost of mega-breaches now averages $23 to $25 per exposed record, which includes the costs of lawsuits. That means the cost of Avid Life Media’s breach could rise as high as $850 million.

But in this case, “The reputation effect alone is going to kill the company,” Mr. Ponemon said. “Their whole model is based on secrecy and the privacy of the individuals participating in this service. The reputational damage will be very difficult to overcome.”

The company said it was working with international law enforcement agencies to investigate the data breach, which Canadian police have also linked to two suicides.

Last week, Mr. Biderman hinted that the company knew who had breached its systems, but few leads have been made public. On Wednesday, Brian Krebs, a well-known security blogger, theorized that a Twitter user who posted a link to Avid Life Media’s stolen code before the data leak was made public may at least know who is responsible for the breach.

Police in Toronto, where Avid Life Media is based, have said that employees first learned that their systems had been breached when they arrived at work on July 12 to find a menacing message on their computer screens accompanied by the rock band AC/DC’s song “Thunderstruck.”

Mr. Krebs said he had downloaded five years’ worth of posts from the Twitter user and found boasts about web attacks and references to AC/DC’s “Thunderstruck.”

A version of this article appears in print on  , Section B, Page 1 of the New York edition with the headline: Ashley Madison Chief Is Latest to Depart After a Data Breach . Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT