In a welcome turn of events, the Toronto Police Service announced in a press conference on Aug. 24 that it is leading a global investigation into the hack of infidelity Website Ashley Madison. During the press conference, Avid Life Media (AVM), the owner and operator of the Ashley Madison site, offered a $500,000 reward for information leading to the identification, arrest and prosecution of those responsible for the Ashley Madison database leak.
The hack of the Ashley Madison site was first disclosed in July, with the attackers, who identified themselves as “The Impact Team,” threatening to dump the database, which is what occurred on Aug. 19. While the breach at Ashley Madison has exposed more than 30 million individuals that were members of the site to public scrutiny, it’s important to remember that a crime occurred and AVM is the victim—which is where the Toronto Police Service comes into play.
Although the Ashley Madison Website has members around the world, AVM is based in Toronto. While the Ashley Madison hack has global implications, at its core, it represents a breaking and entering into a Toronto organization. Toronto Police noted during their press conference that they are working with law-enforcement agencies around the world, including the U.S. Federal Bureau of Investigation, to identify the criminals.
It is somewhat curious on the surface that the Toronto Police force is taking the lead on a global cyber-crime affecting more people than the entire population of Canada as a whole. Toronto has a population of nearly 3 million, Canada has a population of 35 million, and Ashley Madison’s client database is approximately 37 million.
When Target was breached in 2013, Minneapolis police didn’t lead the investigation, and Atlanta police didn’t lead the investigation into the breach of Home Depot in 2014. In both those cases (and many others like it), the FBI was brought in to lead the investigation and not the local police force where the breached company is headquartered. In Canada, there isn’t an equivalent agency to the FBI, though there are the equivalent of state police (in the Toronto area that would be the Ontario Provincial Police) and, at the federal level, the Royal Canadian Mounted Police (RCMP).
The RCMP are quite active in the realm of cyber-security and are the only police force in the world that arrested someone in connection with attacks related to the Heartbleed vulnerability in 2014. In that case, the attacker went after the Canada Revenue Agency, which is the Canadian equivalent to the Internal Revenue Service.
So why is a local police force leading the charge here? Simply put, the Toronto Police Service has taken an active role in cyber-crime investigations for more than a decade. Back in 2005, Toronto Police collaborated with Microsoft to help build a system to track and identify child pornographers around the world. While a local police force might not seem to be ideally suited to investigate a hack like the breach of Ashley Madison, Toronto is where the victim—AVM—is located, and therefore, Toronto is the jurisdiction where the crime investigation will now be led.
It also helps that AVM actually contacted the Toronto Police Service. During the press conference, it was revealed that AVM went to the Toronto Police eight days after the initial hack disclosure.
Toronto Police Hunt for Hackers Who Hit Ashley Madison Site
“When reporting these events to the police, Avid Life advised that the suspects had, in fact, already made good on the threat by releasing the information of two Ashley Madison clients—one in Mississauga (Ontario, Canada) and the other in Brockton, Mass.—on July 19 through the Internet,” Acting Toronto Police Service Staff Superintendent Bryce Evans said.
Toronto Police are now encouraging anyone with information about the Ashley Madison hackers to contact them at 416−222−TIPS (8477), online at 222tips.com, text TOR and a message to CRIMES (274637), or leave A Tip on Facebook, or contact the Ashley Madison Task Force at (416) 808-2040.
The Ashley Madison hackers have alleged that AVM was somehow negligent and didn’t properly secure the information of its members. While Evans did not directly address that allegation, he said that the Toronto Police did not find any criminal wrongdoing on the part of AVM.
While the Toronto Police Service is not laying any blame at the feet of AVM, others are. Multiple class-action suits have been filed against AVM in Canada as well as in the United States alleging that the Ashley Madison site operators did not properly secure data. The question of whether or not AVM properly secured data is also interesting in the light of the U.S. court decision affirming that the Federal Trade Commission (FTC) has the authority to sue companies that do not properly secure user data.
Regardless of whether AVM was somehow negligent, global law-enforcement professionals will now coordinate with Toronto Police to bring the Ashley Madison hackers to justice.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.