Ashley Madison’s Achilles heel is exposed—and it’s not immorality

The infidelity-focused website AshleyMadison.com has spent the past 14 years walking a razor-thin line between delighting its customers and disgusting just about everyone else—an impressive feat in a world where most companies seek to avoid even the faintest whiff of controversy. Now it’s at risk having all that undone by an IT problem.

Toronto-based Avid Life Media confirmed Monday that Ashley Madison, which connects potential adulterers with willing partners and boasts 36 million users in 46 countries, was hacked “by an unauthorized party,” while cybersecurity blog Krebs on Security reported that “large caches of data” have been posted by an individual or group. Krebs also reported that the perpetrators had threatened to publicly post complete customer records, “including profiles with all the customers’ secret sexual fantasies … real names and addresses” unless Ashley Madison and its sister site Established Men were taken down permanently.

In a statement, Avid Life said that it has since managed to secure the unauthorized access points and is now in the process of working with professionals to determine the scope and severity of the attack.

While Avid Life is hardly the first company to suffer a breach of private customer data, it arguably has more to lose than most. Many of its users are married or in relationships, and are unlikely to want their cheating ways publicly exposed. “We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world,” the company said in a statement.

The possibility that Ashley Madison could be vulnerable to an online attack is hardly surprising, given that hackers earlier this year compromised the privacy of some 3.5 million users of hookup site AdultFriendFinder.com. Meanwhile, the websites of some of the world’s biggest corporations and governments have also suffered embarrassing breaches in recent years, including U.S. defence contractor Lockheed Martin and the Canadian Security and Intelligence Service spy agency.

Given all the controversy Ashley Madison has generated since its launch in 2001, it nevertheless seems ironic that the biggest threat to the site’s livelihood comes from something as increasingly ubiquitous as a basement-dwelling hacker, albeit one with a steady moral compass. Several U.S. networks have banned Ashley Madison TV commercials, Toronto’s transit agency banned its ads on subways and streetcars, and Singapore has banned the site altogether. Ashley Madison also managed to survive a $20-million lawsuit launched by a former employee who said she was told to type up fake profiles of women for the website (the suit was dismissed by an Ontario court).

At the same time, founder and CEO Noel Biderman, who claims to be happily married, has proved surprisingly adept at defending his creation in all manner of high-profile media interviews, including on popular U.S. TV shows like The View, The Today Show and Hannity, who called Biderman a “pimp.” Biderman’s response, generally, has been to point out that he didn’t invent cheating, and is merely providing a platform for cheaters to do what they would do anyway. He’s also argued that Ashley Madison “saves” marriages by giving sexually frustrated spouses a discrete and convenient outlet.

Morality aside, the online attack on Ashley Madison couldn’t come at a worse time for Avid Life. It’s in the process of preparing for an initial public offering of shares in the United Kingdom that could value the company as high as $1 billion. The firm’s earlier attempt to go public in Toronto in 2010 was thwarted by a lukewarm reception on the Street, with a company official later explaining that Europe was a better market for an IPO because of its more liberal attitude toward adultery.

As the Wall Street Journal prophetically pointed out earlier this year: Avid Life would be wise to include hacker attacks in the “Risk Factors” section of its IPO prospectus—if it hasn’t already.