Some online dating sites were breached this week, and 37 million users’ data might be compromised. Business Technology’s resident U.S. blogger Keil Hubert muses that there’s probably good money to be made consulting to the victims.
How much would you be willing to pay to avoid experiencing a messy and expensive divorce? Depending on your social status, net worth and relative vulnerability, I’d wager that most people would probably be amenable to paying a princely sum in order to avoid losing half (or more) of their wealth and power. That’s a pretty strong need, and the number one rule of business is that an unmet need in the market represents an opportunity for the first-mover to get very, very rich.
On Monday, 20th July, the story broke that a group calling itself ‘Impact Team’ had compromised two of three dating-themed websites run by Avid Life Media –AshleyMadison.com  and EstablishedMen.com.  The baddies of the story posted a warning to ALM’s owners that they had compromised the sites’ core infrastructure and user databases. They also threatened that they’d divulge the actual identities of their users to the general public if ALM failed to shut the two ‘offending’ sites down. Brian Krebs of KrebsonSecurity dryly summarized it thusly:
‘Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”’
If the outraged hackers’ public statements are to be believed, they were miffed that ALM’s sites ‘cheated’ customers when they sold their users a service for erasing one’s existing account data – in exchange for a small fee, the site admins said that they’d delete all of a user’s account records (including real names and credit card data) from their user database. The hackers claimed that ALM was taking people’s money and not delivering on that promise to expunge records. Might be true, might not; I don’t know.
Setting aside the feigned ‘moral outrage’ over the nature of these sites’ intended purpose, the breach itself is a straightforward cyber crime story, and should have had the same effect on the collective consciousness as any other large user data compromise. The recent compromise of 21.5 million users’ records from the U.S. government’s Office of Personnel Management will probably turn out to be more economically damaging to its victims; OPM’s breach was just slightly less embarrassing to the victims. Still, the principles of data exfiltration and misuse are essentially the same for both.
As per usual for the Internet, a metric ton of smug moralizing clogged up social media in the wake of the story as scads of holier-than-thou commenters gleefully disparaged the victims of the hack.  Most of the nasty posts that I read following the announcement argued that people who cheat on their partners don’t deserve to have their personal data protected from disclosure or exploitation. The way the condescending posts framed it, using ChritianMingle.com or J-Date.com, or even Tndr.com to find a partner would be okay with the moralizers, but not AshleyMadison.com… even though the end result for all such sites is identical for all practical purposes: user A hooks up with user B.
Looking at the problem from a coldly dispassionate business perspective (as opposed to a self-righteous moral perspective), this situation represents a compelling revenue-generating opportunity for someone with the right skills. The general prevalence of extramarital conduct seems to run anywhere from 10 per cent to 50 per cent of married adults (depending on which surveys you favour), which suggests that there’s a sizeable existing customer base.
Historical evidence going all the way back to the Roman Empire suggests that cultures that claim to demand marital fidelity tend to bring legal and social censure down on a person who’s caught engaged in an affair. As a recent, high-profile example, consider the rise and fall of General David Petraeus, the director of the US Central Intelligence Agency.  He lost his job and his reputation at the apex of his career over a corroborated accusation of infidelity.
This all came into sharp focus for me after the (always delightful) Twitter sensation ‘InfoSec Taylor Swift’ (a.k.a. @SwiftOnSecurity) posted this quip on Monday afternoon: ‘For 90 Bitcoin I will tell your wife I created your Ashley Madison profile because I’m obsessed and I wanted you to break up.’ I snorted coffee out my nose when I read that tweet. The obfuscated InfoSec boffin behind this account had tapped the zeitgeist – there’s a definite market here, and some ambitious young start up can make a bunch of money doing something like this – if they can deliver on the service.
For 90 Bitcoin I will tell your wife I created your Ashley Madison profile because I'm obsessed and I wanted you to break up.
— Swift⬡nSecurity (@SwiftOnSecurity) July 20, 2015
If you’re on Twitter and NOT following @SwiftOnSecurity, why are you on Twitter?
Here’s how I see it: the first-to-market firm would be creating a new IT niche called ‘Deniability as a Service’ (DaaS), in the fine IT tradition of calling bloody everything that you can outsource as an ‘X as a service’ product. In this case, the user story and business model would work as follows:
First, a reasonably affluent person (our customer) discovers that he or she might be affected by an online dating site disclosure of their personal information. The customer fears that they’ll lose their reputation, their job, their fortune, and/or their family if their previous clandestine conduct gets made public. The highly-motivated customer contacts our DaaS consultancy and agrees to pay a large (but reasonable) price in exchange for receiving compelling proof of rock-solid deniability.
The DaaS provider manufactures falsified evidence in the form of documents, invoices, social media profiles, etc. that make the case that the client him- or herself wasn’t the user who created the compromised online dating account in their name, with their e-mail account or home address or mobile number or credit card. Instead, the ‘evidence’ makes the case that an ‘Evil h@x0r’ created the profile (and maybe even made use of it) using the ‘innocent’ client’s publically-available data, and then used it to try and extort something from the client. The DaaS consultancy would masquerade as an online reputation management company (under a highly-obfuscated shell corporation or three) that had been paid to take over the client’s identity in order to pursue the (completely fake) baddie and to prevent the ‘client’ from being harmed. It’d all be retroactive continuity, building a pile of evidence to tell a story that the audience wants to believe, but never actually happened.
When the press, the client’s employer, and/or the client’s outraged spouse inevitably finds out that the client was listed as a user of the compromised online dating site, the client can then call in the DaaS provider to ‘prove’ that he or she was never engaging in any actual shenanigans: time-stamped messages, digital audio voicemail recordings, invoices for reputation repair services, blackmail notes, and so on. The DaaS content team would run a stable of pre-generated fictitious online profiles, ranging from other ‘victims’ to that of the ‘extortionist(s)’ themselves in order to make their claims appear credible.
Improvisational actors would be a critical component of the service: professional ‘catfishers’  hiding behind manufactured online profiles could interact live (as-needed) to corroborate claims made by the DaaS team’s on-site actors who (in turn) pretended to be a cyber security forensic analysts and security consultants. The DaaS provider would put on a good show to mollify anyone who grows suspicious, Mission Impossible style (although probably without the gratuitous explosions).
Realistically, a few good salespeople, some talented voice and stage actors, some catfishers, some digital document forgers and a few good Photoshop image manipulators could successfully service several simultaneous clients, and they could do it all as a virtual corporation. This represents a small cadre of talent, optimized for a high-margin service delivery business model, with no need for a high-cost storefront. Put the company ‘in the cloud’ and assemble as-needed to clear up an engagement.
Could it be profitable? I think so: if we project that the people at the top 10 per cent of the wealth scale are as likely to engage in hanky-panky as the rest of the population, that suggests that a site like AshleyMadison.com – which boasts about 37 million users – likely has around 3.5 million multimillionaires and billionaires in their user database. If even one per cent of those wealthy users were terrified of losing their fortunes and/or reputations in a nasty public divorce, that represents around 350,000 potential customers who might pay very, very well to have their canoodling kept private. Even if you only charged each customer a nominal fee of £250,000, a small business focused on protecting these customers could do quite well for itself. A quarter million in discrete fees is a relative bargain for a customer with £10m+ of wealth on the line. Think about it… a good DaaS team could net a couple million pounds of revenue at a 75 per cent-plus margin for just a few weeks of intense consulting work. Most small IT consultancies would kill for numbers like that.
Here’s the thing: I’m not advocating for anyone to go out and create a DaaS company. I don’t have a stake in the problem, and I’m only considering the ‘solution’ as an academic exercise. On the other hand, this tongue-in-cheek business model could totally be a thing. In fact, it’s probable that there are already boutique firms out there serving the ultra-wealthy market that offer a service comparable to this one. The wealthy do things – and usually get away with things – that us normal people can’t consider, let alone attempt. Further, it’s a dead certainty that if an unexploited niche exists for someone with technical talent to make money, then some enterprising engrepreneur will inevitably fill that niche. It may be immoral and reprehensible, but it’s finically lucrative – therefore someone’s going to meet that need.
Just like ALM’s ‘infidelity facilitation’ site, for that matter: if people are already inclined to engage in a thing, and there’s money to be made in helping them engage in that thing, then someone will make money off of the thing. That’s just business. Dirty business, perhaps, but business all the same. At its heart, business and technology are both inherently amoral. It’s what we choose to do with our money and with our tools that defines us.
Along those lines, it would only be logical that a corresponding niche would also open up: a forensic investigations consultancy specializing in exposing engineered deniability operations. Call it ‘Counter-DaaS’… experts who tear apart ‘evidence’ in order to prove that the philandering party truly was philandering, so that the wronged party could prove what really happened in divorce court. These two business models would operate like submarines, each silently shadowing the other… both sides of the battle poised and ready to strike on behalf of their respective clients whenever another AshleyMadison.com-style breach event inevitably occurs… with proportionately devastating results, and appropriately ridiculous fees.
 AshleyMadison.com focuses on married people who want to arrange an extramarital affair.
 EstablishedMed.com focuses on connecting well-off men with younger, upwardly-mobile partners. A bit more specialized than its stable mate, but operating on essentially the same core principles.
 By ‘victims’, I mean the sites’ users, not the company providing the service.
 Or, just for fun, do what I did and type ‘Army General Adultery’ into Google and see how many powerful military men recently had their careers ended after engaging in some ‘indiscreet maneuvers.’
 ‘Catfishing’ is the practice of operating a fake social media identity in order to deceive people (for innocent or prurient purposes).
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.