How GDPR would have stopped the Ashley Madison Data Breach


I’m sure we all remember the high-profile case of the Ashley Madison Data breach in 2015 where 37 million registered users of the adultery site were named and shamed online?  

The case brought to light troubling findings such as the “paid delete” option, where users were charged $13 to have their information removed completely or how Bots represented the vast amount of female “users” on the platform.

The results of the data breach had devastating effects on the organisation. A stream of high-profile lawsuits reaching $11.2 million, followed by a cancelled IPO, and even more disturbingly, 4 resulting suicides and countless blackmailed users of the service.

The consequences of the leaked data struck a very sinister cord with the public and the company is only now beginning to claw its way back from one of the largest PR disasters of modern times!

However, using the wisdom of hindsight, we look at the impact GDPR and how likely this is to happen again in the future.

1.       Disclosure

Organisations are now under GDPR required to notify Data Protection Authorities and ANYONE effected by the breach within 72 hours. In the case of Ashley Madison although the information wasn’t released by the Hacktivist group until August, the breach occurred in July. Today, even though the organisation is North American based they would be required to adhere to GDPR through their European user base.

2.       Risk Assessment & Management Structure

Ashley Madison had not carried out any formal risk management assessment of the data it held. Data protection legislation requires companies to put in place “appropriate safeguards”. GDPR, requires that companies have Data Protection Impact Assessments (DPIA) in place in order to identify and mitigate against data breaches relevant to their business. This includes incorporating data Audit tools such as

3.       Data Retention/Deletion

One of the major findings from the case was that Ashley Madison was charging its users $13 to have their personal data deleted, which in many cases wasn’t deleted at all! GDPR has given the power back to the public in this regard. Now organisations are required under “The Right To Be Forgotten” to delete an individual’s information once requested. Additionally, obligation is placed on Data Retention. Organisation now need to have Data Retention policies in place and are required to remove any personal data that is no longer in use or needed.

4.       You Can’t charge to Delete Data!

Companies need to be aware of the cost of collecting and handling data. The charge Ashley Madison placed on data deletion, they claimed, was justified due to the fact that it was expensive to implement a “full-delete” and the charge was issued in order to recoup this cost. Today, organisations need to build this cost into their business models. Identifying the risks and costs associated with collecting and deleting data is critical. Tools such as’s CriticalData, allow organisations to locate and delete data that is no longer needed quickly and efficiently.

5.       Data Is Not FREE!

Data collected by your business is costly. This cost will be enhanced depending on how much there is, how long you retain it, how many devices its stored on and whether its forwarded to 3rd parties or not. Organisations need to look at the costs associated with physical storage, developing processes to maintain accuracy and deleting when no longer required is vital to reducing these costs. You need to assess the ROI of keeping and collecting data and tools such as will allow you to locate and remove unused or unwanted data as needed.


Although the personal consequences and impacts of the data breach on the users was grave, the financial realities are that in 2019 with the rise of GDPR, the costs could have been a lot worse. With the higher of 20 million or 4% of global turnover being the potential fines for such breaches, negligence of this level of severity will be punished much more heavily from now on.

Although it was undoubtedly the most sensational, Ashley Madison was not the only dating site to be targeted by hackers. Online services of this nature appear to be fertile hunting grounds for the hacking community, with high profile cases such as in 2016 and The Guardian’s dating site Soulmates also being hit with personal data breaches.

In the end, almost 4 years since the hacker group “Impact Team” released the data of both internal staff and the users of the service, the case still serves as a major talking point about the dangers of poor data management and how we all need to put in place technology and processes that prevent reputational and financial loss of this magnitude.

Niall Kelly