We watched “Ashley Madison: Sex, Lies & Scandal”, the Netflix Documentary covering the epic hack of the infamous dating site dedicated to extramarital affairs, its consequences on users, the company and its employees.
This is a documentary, distributed by Netflix, available exclusively on the Netflix platform, in 3 episodes of 49 to 53 minutes, starting with the launch of the online dating service in the early 2000 and ending with the incredibly consequential cyber-security breach suffered by the Company in 2015. The documentary follows the personal stories of employees and users as they are affected by the creation, growth and spectacular failure of the Ashley Madison platform.
We were looking forward to watch this documentary from the moment it was previewed on the Netflix platform as this scandal is often used as an example of how bad a data breach can get. And we were not disappointed! We even learned a lot we didn’t know about the company’s culture, its practices and the resolution of the litigation against them.
The singularity of this story, from a compliance perspective, is that it is a cautionary tale for both companies and individuals. Many of the lessons to be learned by Ashley Madison’s parent company, Avid Life Media (ALM), also apply to its users.
We enthusiastically recommend you watch this documentary and let us know if you agree with the 5 compliance lessons we are presenting below:
Lesson number 1: keep your commitments to your stakeholders
Just like Ashley Madison’s users were breaking their commitments to their spouses by using (or trying to use) the website to engage in extramarital encounters, ALM broke its commitments to its users.
The documentary reveals many misrepresentations by ALM: IT security was sophisticated, female user profiles were real, old data was deleted…
The hack not only resulted in the leakage of personal data, it revealed how cynically focused ALM was on getting more and more users to spend more and more money on its platform. Ironically, the would-be cheaters found themselves cheated by the company they trusted with their deepest secrets.
The bigger the gap is between your stated values and your exposed behavior, the bigger the damage to your reputation. That’s why religious or political conservative public figures exposed as Ashley Madison users were even more impacted: they were denounced as hypocrites in addition to be adulterous.
A compliance program helps a company live up to their commitments by operationalizing value statements. One of the key values of ALM was discretion. For sure, the company did not invest nearly enough in strengthening its defenses against potential hackers, in complete contradiction to its public statements. Recordings of claims by ALM’s CEO about his company’s commitment to user privacy sound eerily similar to Sam Bankman Fried’s interviews about the protection of customer funds at FTX… Maybe having a functioning compliance function would have allowed ALM to realize the cognitive dissonance between its claims and reality was untenable. An important reminder in our era where ESG-related claims are being carefully analyzed by many stakeholders.
Lesson number 2: Don’t let promising opportunities obscure your perception of risk
Both Ashley Madison users and the company itself were in denial of the risks associated with keeping sensitive data online. Hacks happen in banks and hospitals. Why not on a dating site? It seems like ALM’s top management was too focused on user growth and taking the company public to properly invest in IT security features. Maybe because such features would have impacted its bottom line and make it potentially harder for new accounts to be created.
Ashley Madison’s users were too focused on the “opportunities” offered by the platform to worry about the consequences of a data breach, which was a risk to be considered even with state-of-the-art cyber security systems. It looks like the promise of an affair prevented them from looking at their situation with the proper level of skepticism.
It’s interesting to observe how raising the stakes can lower the care with which companies and individuals make decisions. It is also fascinating to see how easy it can be for us to misplace our trust. Like in other scandals we covered, magical thinking plays a role in lowering people’s guard against risks. The cautious and open-minded approach of the cyber-investigators hired by ALM is a precious reminder that “reasonable assumptions are the road to hell”.
Lesson number 3: Treat confessions with caution
Just like Ashley Madison’s user only admitted to their infidelities once their names were made public, ALM did not admit to any misrepresentation until they were fully exposed.
The documentary shows very well the sequence of events leading the Company and its users to gradually admit wrongdoing, only as denial ceases to be an alternative.
As experienced compliance investigators will know, fraudsters don’t just confess to clear their conscience. They will only openly admit to what they think the investigators already know or are bound to find out soon. As liberating as it might be to confess misconduct, that is not why people do it.
In a compliance investigation context, getting a subject to describe their own intentional breaches takes a lot of expertise and preparation. In short, if you want someone to confess to something you don’t already know about, you need them to believe that you do know about it and have the evidence to back it up.
Lesson number 4: don’t keep or generate data you don’t need
The only data that can’t be leaked or stolen is the data that does not exist, because it was effectively deleted or, even better, never created in the first place.
By claiming that they deleted user information and even charging extra fees for such deletion, ALM violated the trust of their users and cultivated a vulnerability with no apparent benefit for the company. It is indeed unclear how they could possibly monetize further data that should not exist. In this case, the trust violation is not only egregious, it also appears to be pointless.
“Data minimization” is not only one of the key principles of any good data privacy compliance program. It is also a good way to protect one’s individual privacy, by not generating and/or storing information that we wouldn’t want to see leaked.
So if your organization collects and/or manages any type of data that it does not need and can’t monetize, we would suggest using this documentary to help you make the case for a big data clean up exercise.
Lesson number 5: the Fraud Triangle also applies to love triangles
Most compliance professionals have already heard of Donald R. Cressey’s theory that 3 components are necessary for trust violation to occur: pressure, opportunity and rationalization, also referred to as the “Fraud Triangle” (if you are not familiar with this concept, check this page on the Association of Fraud Examiner’s website).
The same can be said about extra-marital affairs. ALM’s entire communication and marketing approach was designed at providing opportunity and rationalization to its potential users. ALM’s CEO went so far as to claim that Ashley Madison’s service was in fact saving marriages by providing a safe outlet for cheating impulses. According to him, cheating with your spouse with a colleague was much riskier than using his website.
One of the most shocking trust violations presented in the documentary is the heavy reliance of Ashley Madison on bots to impersonate female users. To put it simply, ALM intentionally generated a large quantity of fake user profiles and charged its real users to interact with them.
Unfortunately, the documentary does not quite allow us to break down ALM’s trust violation in terms of pressure, opportunity and rationalization. The pressure component is obvious: profit maximization (a.k.a. greed). The opportunity component is also quite common here: the belief that users won’t know any better and we won’t get caught (a.k.a. feeling of impunity). But the rationalization component requires a better understanding of the CEO’s thought process. In many corporate scandals we already referenced (Enron, Theranos, FTX…), companies started spiraling out of control when executives started getting high on their own marketing supply. Maybe this is what happened here… maybe ALM’s executives started to believe they were doing a service to the community by keeping would-be cheaters from consummating their infidelity… We can only speculate what their rationalization was.
How morally wrong Ashley Madison users were is up for debate and probably warrants a case by case analysis. Even the hack itself, though objectively illegal, can be seen as righteous, from a certain perspective. But ALM’s misrepresentations and negligence were objectively wrong and self-serving. Today, the site appears to continue to operate and thrive under new management. It will be interesting to see how the new executives manage to avoid the pitfalls that caused the demise of their predecessors. If they haven’t yet improved their overall integrity, data privacy and IT security programs, let’s hope they read this article and change their mind.