Users on Reddit and those commenting in other places, state that the company is promoting ambulance-chasing FUD, but it isn't clear if there have been any sales as a direct result of the search to marketing program.
The company posted a blog in an attempt to explain what they've done, but despite their excuses, it was made clear that "business is booming."
They also attempted to distance themselves from the ambulance-chasing argument:
"Before the Ashley Madison data was published on August 18, we were receiving a lot of requests in cheating investigations about it. People wanted to know if their spouse had an account, and was using the site to cheat. We weren’t able to answer that question for our customers before. We owe it to our customers to make the data available to them, if they ask."
Ashley Madison hackers admit to using valid processor credentials to obtain credit card data:
During an email exchange with Motherboard, Impact Team made an interesting admission concerning the financial data from ALM that was leaked to the public:
"They said they don't store CC [credit card information]. Sure, they don't store email either; they just log in every day to server and read. They had password to CC processor. We dumped from CC processor... They have payment processors. The payment processors store most of the credit card number and billing address. Like how Gmail stores their email. They can log in and look up transactions."
The first question that comes to mind is the name of the credit card processor. Who was compromised, and did the ALM account used expose other records or accounts due to a vulnerability of some kind on the processor's back-end?
Is there a PCI issue? Vinny Troia, Director of security and risk consulting for McGladery, said that if Impact Team got the card data out of the card processor, the situation would then fall under one of the grey areas of PCI.
"Whose responsibility was it?" he questioned.
"PCI requires that someone review all access to card data at least daily. So if someone pulled a report that had every user's card number in it, someone [at ALM] should have gotten an alert that it happened," Troia explained.
"The grey part would be if it was the [ALM] employee's responsibility to review that report and respond, or was it the card processors responsibility? Truthfully it is a bit of both, but I am sure that the card processor will be able to say they have no knowledge of [ALM’s] business practices, and wouldn’t know which reports were standard course of business and which were suspicious, so that will likely land on [ALM]."
Sign up for CIO Asia eNewsletters.