When first reading about the hackers who stole massive amounts of sensitive customer information from Avid Life Media, I was sitting on my front porch and the distinctive voice of Cher emerged from a passing car, belting out lyrics to the song “If I Could Turn Back Time.”
I remember this moment clearly because I am one of the few married individuals with no reason to be ashamed by my history with the Toronto-based company, which is best known for running the controversial Ashley Madison adultery service.
Now, before you jump to conclusions, let the record state that my wife is aware of my time spent on the Ashley Madison site — and I am not a swinger in an open marriage. I was paid to explore the service for a business magazine when Avid Life was seeking to go public back in 2010. I never spent a penny on any transactions. I didn’t even issue a wink.
Anyway, when I heard the Cher tune playing, I immediately wondered how many of Avid Life’s customers had given any thought whatsoever to the risks involved in attempting to use its infidelity service to secretly break wedding vows sworn in front of friends and family. Whatever the number, I concluded that you can safely bet it pales in comparison to the number who regret ignoring the risks now that they have been outed as cheat club members.
After hacking into Avid Life’s systems in July 2015, a group calling itself the Impact Team warned that customers would pay the price if the company didn’t take down AshleyMadison.com along with the site of a companion service called Established Men, which exists to connect “ambitious and attractive girls with successful and generous benefactors to fulfill their lifestyle needs.” For some reason, the company’s CougarLife.com site, which makes money matching young men with “sexually charged older women,” was not threatened.
In August, after Avid Life refused to respond to the illegal threats, the Impact Team posted 9.7 gigabytes worth of the company’s sensitive data to the so-called Dark Web, where other technically skilled individuals immediately started making it available to the general public. According to Wired, the files in question appear to include account details — including customer names, addresses, emails and log-ins — for some 32 million users along with payment transaction details dating back to 2007.
In response, Avid Life — which is offering a $500,000 reward for information leading to the arrest of the hackers — insisted that the data dump was an act of crime, not hacktivism, perpetrated by moral bullies trying to impose their personal notion of virtue on others. “It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the company said. “We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
Nevertheless, the data breach could not have come at a worse time for Avid Life’s growth strategy. Looking to finance global expansion, the company — which now faces numerous potential class-action lawsuits —announced plans earlier this year to raise about $200 million via an initial public offering in London. The proposed IPO reportedly valued the company at around $1 billion. What it is worth today is an open question.
It is obviously too late for Ashley Madison users to rethink the risks associated with chasing the offered rewards. However, it is not too late for investors still waiting for a chance to buy into Avid Life. First and foremost, they should think about why the company was looking to list overseas when the United States is Ashley Madison’s largest market. After all, as company spokesperson Christoph Kraemer told Bloomberg News earlier this year, Europe is the only region where the company sees “a real chance of doing an IPO.” And that was not always the case. In early 2010, Avid Life tried to go public in North America, but plans were derailed by investment bankers afraid to get into bed with the idea of supporting adultery.
The company exited 2009 with a respectable profit of $8 million (before interest, taxes, depreciation and amortization) on $30 million in sales. Looking to let others in on the action, while improving results through acquiring growth and diversification, management proposed a $60-million private placement. The plan was to use these funds to buy Moxy Media, a much larger online advertising outfit, and then go public via the reverse takeover of a listed shell company.
The offering in question was clearly attractive on the fiscal front at a time when the Canadian market was hungry for good investment opportunities. Nevertheless, only one Bay Street investment bank, Toronto’s GMP Capital, was willing to market the private placement. The uncharacteristic shyness shown by other Street people attracted the interest of Canadian Business magazine. After all, investment banks around the world have been known to help raise funds for cable companies that deliver porn, not to mention manufacturers of booze and tobacco products that contribute to costly social and health problems.
As one of the magazine’s investigative journalists, I was assigned to explore whether or not GMP was doing the right thing by supporting a morally questionable business. There was no other agenda going into the story, which was actually encouraged by an Ashley Madison publicity pitch that suggested the time was ripe for a feature on Avid Life founder Noel Biderman, a former sports agent who reportedly developed the idea for an infidelity service while helping pro athletes manage their personal lives. “While some may have their negative opinions about what we do,” the publicist wrote, “it doesn’t change the fact that our CEO had an idea and transformed that idea into a very profitable business.” That was true. But Avid Life’s desire for publicity came back to haunt the company after the due diligence I did investigating the business raised an issue that gave GMP cold feet.
Shortly after Avid Life’s only dance partner on Bay Street started marketing the deal, competitors began whispering that GMP was only selling the private placement because some of its employees had already invested in the company. After being bad-mouthed for hooking up with Biderman, the independent firm agreed to sit down with me and justify its position. And as I reported in a Canadian Business feature entitled “Abandoned at the altar,” a Friday-afternoon meeting took place in GMP’s boardroom, where company management insisted nobody with a stake in Avid Life was involved in the decision to market the controversial deal. That decision, I was told, was made because opting out on moral grounds was considered hypocritical.
This argument was not without merit. In fact, numerous businesspeople I interviewed for the story argued that GMP deserved a medal for not filtering legal investments from the market. But when presenting its case for boldly putting its reputation on the line in order to let investors decide what was right for them, GMP management was obviously still trying to convince itself because one simple question from me was all it took to kill the deal. And all I asked GMP about was what the firm thought about the following Ashley Madison posting:
To be honest I’m really looking for a sugar daddy, so if that isn’t you I wouldn’t waste your time replying. I’m looking for a generous man that loves to take care of a younger lady, i am 18 and have just started university and my parents aren’t paying a cent for it (when i say parents I mean my mother, i have no clue where my father is these days) So if there is a nicer gentlemen on here that really gets off on helping a young women with some bills, taking stress of her shoulders while recieveing the same back both emotionaly and physically please msg me.
As far as I was concerned, the posting didn’t suggest any relationship all that different from the relationships set up by Avid Life’s Established Men service. Nevertheless, after I read that message to GMP’s senior management, blood drained from the faces of every banker in the room. The meeting was cut short so the firm could think on the matter. Monday morning I received a phone call informing me that GMP had withdrawn its support for the deal due to concerns over market conditions that had not changed.
Shortly after my meeting with GMP, Avid Life decided it no longer wanted to participate in my story. But company lawyers were quick to send along a letter that noted all of its services were governed by a robust set of terms and conditions that dictated users must be at least 18 and that illegal activity, including prostitution, was expressly forbidden. I included this fact in my feature article, along with the arguments put forth by company supporters, but Avid Life’s plan to go public in North America remained dead in the water.
The rejection of Biderman’s business by investment bankers in 2010 both divided and amused people. As I reported in Canadian Business, Bay Street jokers playfully suggested the deal was doomed from the start because no male fund manager in his right mind wanted to go home and tell the wife, “I liked Ashley Madison so much that I decided to buy the company.” The issues raised, however, were serious. Indeed, as an Ivey case study on Avid Life’s failed private placement offering makes clear, Bay Street’s fear of supporting adultery provides excellent fodder for debating the function of firms from competing perspectives, meaning the shareholder perspective that sees the firm as an instrument for the shareholder versus the stakeholder perspective that views the firm as an instrument of society.
The hacker attack on Avid Life – which reportedly generated more than $100 million in revenue last year – has also divided opinion while expanding the fodder for this debate at a time when understanding the perspective of both sides is particularly important for future business leaders who will have to balance the needs of shareholders with those of society. But while it is hard not to laugh at some of the details (at least nervously), fallout in this case goes well beyond a derailed IPO. And when you think about the massive violation of privacy involved, the story really stopped being amusing long before unconfirmed reports of related suicides started circulating.
At the very least, this incident should serve as a wakeup call to consumers who freely send sensitive information into cyberspace, not to mention blindly trust others to protect it. Hopefully, employees everywhere will finally start to understand why using work emails for personal online business is often both irresponsible and career-limiting. As for management, well let’s just say that organizations need to seriously re-examine how well they protect confidential data from internal and external threats.
These, of course, are obvious lessons. What about the bigger picture?
You don’t have to read Milton Friedman to appreciate why unpopular minorities benefit from having a free economy unfettered by moral judgements. And there is no question that investing in public companies that cater to base demands has paid off in the past. As Dallas-based fund manager Eric Lansky explained to me when I was examining the role of investment banks in 2010, so-called “vice funds” have often outperformed the market because sinful ventures “typically come with great barriers to entry, little competition, almost monopolistic pricing power and strong, stable cash flow.” You can also argue that morality actually costs investors by limiting the ability to diversify.
But when it comes to investing in Avid Life, you don’t have to believe that assisting adultery is wrong to be concerned by the reputational risks. After all, you are actually betting on what other investors think about it. And the fact of the matter is that plenty of serious capitalists hate the Ashley Madison business model on moral grounds. Indeed, as billionaire fund manager Stephen Jarislowsky told me the first time Avid Life attempted to go public, “I don’t mind investing in liquor, because without it, you’d miss something in life. I tell friends to stop smoking, and I still buy tobacco companies. But Ashley Madison shouldn’t be a public venture, because it can destroy families. And there is nothing worse than the effect of divorce on children. There are thousands of other stocks to buy, so why bother with this crap?”
Simply put, while anyone is free to argue that businesses are not social endeavours and should exist for the sole purpose of generating investor returns, this line of reasoning is at odds with everything that the CSR movement represents. Meanwhile, thanks to social media, the risks involved with supporting questionable business models have increased dramatically since GMP’s relationship with Ashley Madison blew up like the fling in Graham Greene’s The End of the Affair. (Keep in mind that the number of active monthly Twitter users alone has increased more than tenfold, from 30 million to 304 million, since early 2010.) Furthermore, the risks associated with being an our-business-exists-for-profits-only enterprise now extend well beyond the realm of reputation.
Impact Team hackers have already stated that they see any business that profits “off pain of others, secrets, and lies” as fair game. As a result, having your business disrupted by hacktivists is now something that needs to be on the radar of anyone involved with (or invested in) a company that pushes social hot buttons. But companies that are not clearly controversial also need to be concerned because while the Ashley Madison affair is just the latest in a string of high-profile hacker attacks, it actually represents the dawn of a new era of risk management.
Long before the hacker attack on Avid Life, the common feeling amongst North American institutional investors was that the company represents something extra risky in the reputation department. And although Avid Life moved its IPO hopes to Europe, media reports suggest investment bankers across the pond were not falling over themselves to hook up with Biderman’s company. But there are other reasons to take a pass on investing in Avid Life if it ever makes it to market. After all, the company was not targeted by hackers simply because it helps married people break their wedding vows. Impact Team members were also moved to act by the company’s questionable practice of populating the Ashley Madison site with fake profiles, not to mention its overconfident privacy claims and the fee it charges to delete user accounts. These are essentially customer service complaints.
To date, Avid Life has denied any and all wrongdoing and stands by its service promises. But whether or not Ashley Madison provides the quality of service that it claims has been an open question for years. In 2012, a former employee named Doriana Silva made headlines, claiming to have suffered from repetitive strain injury after being hired to write fake female profiles for Ashley Madison that she alleged were used to entice men to spend money on the website. According to court documents, Silva — who was seeking about $20 million — was tasked with creating 1,000 fictitious profiles in just three weeks.
Silva’s ambitious bid for claiming big-money damages lost whatever credibility it had after Avid Life distributed images of its former employee riding a jet ski. But the company did not deny the existence of fake profiles. In fact, as noted in a 2013 Business Insider feature entitled “Why It May Be Legal for Affair Site Ashley Madison to Lure Guys with Fake Profiles,” the Ashley Madison site disclosed the use of bogus female members known as Ashley’s Angels. The site’s terms and conditions state:
The purpose of our Ashley’s Angels is to provide entertainment, to allow you to explore our Services and to promote greater participation in our Services. Ashley’s Angels attempt to simulate communications with real members to encourage more conversation and interaction with users. We also use Ashley’s Angels to monitor user communications and use of our Service to measure compliance with the Terms. Further, we may use Ashley’s Angels in connection with our market research to enable us to analyze user preferences, trends, patterns and information about our customer base. Ashley’s Angels are not intended to resemble or mimic any actual persons.
Whether this practice is clearly legal or not, cyberspace plays host to plenty of negative reviews from would-be adulterers who feel misled by the company’s fake members.
What about the account delete fees? The Impact Team claims that Ashley Madison netted $1.7 million in 2014 by charging customers for removing usage history and other information that could identify them, but failed to do a thorough job of this. Whether or not the company actually did enough to meet reasonable customer expectations in this area also remains open to question. Either way, the level of privacy protection offered users helped trigger both the hacker attack and the data dump that followed the company’s decision to remain operational.
Hacktivism has been on the edge of my radar since 1998, when Wired reported that the underground computer group Cult of the Dead Cow had launched hacktivism.org to host online workshops, demonstrations and software tools for digital activists. Back then, as a tech-magazine editor, I never imagined just how much damage could be done. In the dot-bomb era, when I moved to London to work as head of investor relations for a pre-IPO venture capital outfit, I spent pretty much all of my time worrying about what regulators might think about questionable statements issued to the market without my approval by more senior executives. But I never once imagined having any of our portfolio companies targeted by hackers over aggressive messaging. Today, I would.
I was thinking about this when reading a Globe and Mail report on a recent video-link address given by Andrew Fastow to the Canadian Society of Corporate Secretaries. In his talk, the former chief financial officer of Enron — who was not allowed into the country after spending more than five years in prison for securities fraud — freely admitted that he never once considered the ethical implications of his actions. “That was my character flaw, and I’m very embarrassed about that,” he reportedly said while holding his prison ID in one hand and a CFO of the Year award he once received in the other.
But while Fastow didn’t think in ethical terms, he also never sat around with a bunch of sinister guys imagining ways to break the law. He didn’t feel like a criminal. As he put it, he was proud of his work because he saw it as his job to find loopholes and stretch accounting rules, and he was good at it. And the directors who signed off on his schemes, which allowed the company to ignore the spirit of the law by operating in the grey zones, didn’t ask about the moral implications of his accounting practices or whether or not the company’s long-term interests were being served by them. According to Fastow, Enron’s board really just wanted to know that the company was covered by some argument that justified its actions.
The importance of ethics and transparency dawned on Fastow only after he had to explain to his son why he was locked up. Today, he urges executives and board members to show more character and reject the can-we-get-away-with-this standard. Instead, he thinks all management decisions should face one simple question. “If this company were privately owned, and I were leaving this company to my grandchildren, would I make this decision?”
Referring to a Gizmodo analysis of leaked Avid Life data that suggests Ashley Madison is a site where tens of millions of men spend money looking to hook up with women who just aren’t there, many critics now openly call the service little more than a scam. “This isn’t a debauched wonderland of men cheating on their wives,” reports tech journalist Annalee Newitz. “It’s like a science fictional future where every woman on Earth is dead, and some Dilbert-like engineer has replaced them with badly designed robots.” But the point here is not to compare the business activities of Avid Life to criminal conduct at Enron. The Canadian company has not in any way been accused of cooking the books. The point here is to argue that short-term thinking can be dangerous even at companies that can legally justify their actions, which is why investment opportunities are better when they involve companies that are clearly ethically managed for the long term. In other words, conservative investors should avoid any company that isn’t run like private firms being handed down to family members.
Research clearly shows that short-term thinking hurts long-term business performance (for more on this, see this study by Ivey Business School Professor Tima Bansal and Ivey Assistant Professor Caroline Flammer). In Avid Life’s case, management has clearly been focused on developing an exit strategy for early investors. That isn’t necessarily a bad thing. But it is a red flag when combined with questions being raised over the company’s service quality, not to mention the tactics used to drive membership growth and increase Avid Life’s attractiveness as an investment.
Simply put, while Biderman — who resigned as CEO following the hacker attack (which also exposed emails including embarrassing details about his own personal life) — clearly has the skills required to build a multimillion-dollar business , he also appears to have been too confident and courageous as a leader to pass the character test that risk-averse investors should apply. This boldness can be seen in the company’s aggressive advertising (one U.S. billboard ad designed for Presidents Day last year depicted former U.S. leaders Franklin D. Roosevelt, JFK and Bill Clinton next to a caption that read, “Who Said Cheaters Never Prosper”). It can be seen in Avid Life’s mixed marketing messages (the company insists Ashley Madison does not encourage anyone to stray, then uses the motto “Life is short. Have an affair”). And this boldness can be seen in the over-the-top showmanship that Biderman showed as an Ashley Madison spokesperson (as the self-proclaimed King of Infidelity, he was a regular on the talk show circuit, where he promoted his business by pushing his book Cheaters Prosper: How Infidelity Will Save the Modern Marriage).
Biderman’s boldness, of course, can also be seen in the company’s long history of boasting about being the best place in the world to secretly have an affair, which is akin to whacking a hornet nest in the digital age when you are also not doing enough to prevent confidential data from theft.
Keep in mind that leaders can be too brave. As noted in Developing Leadership Character, a soon-to-be-released book by Ivey Professors Gerard Seijts, Mary Crossan and Jeffrey Gandz, courage in leaders is widely seen as a virtue, but it can quickly turn into a vice when not balanced by temperance, which is just one of 11 dimensions of character that Ivey research shows is required to create the type of leader worth betting your savings on. “This isn’t an issue strictly for corporate boards,” says Seijts, who heads the business school’s Ian O. Ihnatowycz Institute of Leadership. “Investors are always free to take a flyer on controversial companies run by courageous and aggressive CEOs, including ones that promote dishonesty. But the risks associated with ignoring the need for leaders with character based on balanced virtues are like wedding vows, meaning they are not something to be taken lightly.”
There is another lesson to be learned from the Ashley Madison affair. This one is for the hacktivist crowd. Like it or not, people and companies alike often get away with breaking commitments and misleading partners because the market, regulators and courts of law often fail to act. But we still have a system with legitimate judges and nobody can morally justify illegally acting outside this system simply because they think they can get away with it.
When attacking Avid Life, the Impact Team hackers might have seen themselves as leaders in the fight against questionable businesses practices. But as noted above, true leaders demonstrate leadership character in addition to skills and commitment. And that can’t be done by committing crimes to teach lessons to an insignificant company in a way that could easily destroy the lives of countless strangers. With the damage that has been done, the hackers in this case could easily find themselves also wishing they could turn back the clock on their actions, even if they are never outed.