Ashley Madison could face a European data breach probe following a potential leak affecting the dating service’s 37 million customers, CBR can reveal.
Discussions among data regulators in the EU have already opened around which member state would lead any investigation, with responsibility falling to the host of Ashley Madison’s European headquarters, and Cyprus named as a likely candidate.
A spokesman from the UK’s Information Commissioner’s Office (ICO), told CBR: "It’s clear that any potential data breach involving this company could affect people around the world.
"With that in mind, we’ll be liaising with our international counterparts to learn more about what is being done in response to these claims."
Earlier this week the dating site, which caters to those looking for an extramarital affair, was brought into the spotlight after hacking group The Impact Team posted a portion of an alleged data cache containing identity, payment and sexual information on Ashley Madison’s customers.
Since then the site’s owners Avid Life Media have sought to mitigate the damage from the breach, with the hackers having targeted the site over its "paid-delete" service, which charges users £15 to scrub their details from the site.
At the time of the initial leak The Impact Team claimed the deletion service did not work, a notion that has been disputed by Avid Life, which decided to offer the service free of charge for the foreseeable future.
"Contrary to current media reports, and based on accusations posted online by a cyber criminal, the ‘paid-delete’ option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity," the company said.
"The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes."
Commenting on a potential fine from a European data regulator such as the ICO, Mahisha Rupan, senior associate at law firm Kemp Little said a potential fine was not Avid Life’s greatest problem.
"The damage to customer trust and reputation is likely to be a bigger blow to Ashley Madison than any fines levied by the ICO (which are capped at £500,000)," she told CBR.
"A key cornerstone of data protection laws is that companies should not be keeping data that it no longer requires. For those users that didn’t opt for the paid deletion route, it is unclear why Ashley Madison would be keeping their profiles alive."
Rupan also speculated that users might be able to claim Ashley Madison was holding "excessive amounts of out-of-date information", or that the site was violating its own terms and conditions, a breach of contract.
Avid Life claimed that it already has a suspected culprit for the attack, who is alleged to be familiar with the firm’s systems but not a member of staff.
Image – EU Commission HQ by Amio Cajander
