Suicide is a difficult topic to discuss. It has claimed many well-known individuals in society at large and in information security. It is a difficult topic for me to discuss since one of my best friends in college committed suicide just a few years ago, something I still struggle to talk about. As many of you know, I am a veteran, and far too many of my fellow veterans have also taken their own lives, at a rate far higher than the population at large. There have been a number of high-profile suicides in my home town recently.
If this is ever anything you have thought about or considered, don't give in. You have no idea how much you mean to those around you. No matter how badly people have treated you; no matter how badly you may have failed or what you may have lost, you are valuable. You will rebound. Even if you cannot see it now, you have meaning. Talk to someone; your life has value.
Suicide is probably a more important issue than most of what we deal with in infosec, giving us all the more reason to make sure we are treating it seriously and honestly. Unfortunately, it is all too easy for the security world to exaggerate and overstate, and creating fear, uncertainty, and doubt is too often rewarded. Talk of "cyber-war" is common, yet physical destruction due to cyber attack is so rare as to be almost non-existent, while death by hacking to my knowledge had never before been confirmed. While hacking forms a large role in target selection for military strikes, the death of Michael Hastings was the only death widely speculated to be a direct result of hacking. In a breach like Ashley Madison, with plenty of real consequences, there's no shortage of hype. For example, John McAfee suggested "25 percent of the adult work force of our country" might be immobilized for a time and "acting in ways that would strain our police and legal resources to the max." Of course, nowhere near this apocalyptic level of mayhem was reached.
Others have suggested the Ashley Madison breach may result in a cascading change in culture away from storing sensitive information in online services. After a long string of other high-profile breaches affecting far more people with no such result, I am skeptical of this, although I think it will serve as an easy-to-understand example of the importance of security for many people. There's no question many people's lives have been affected; the CEO was forced to leave, lawsuits have flown in every direction, millions of passwords have been cracked, a seemingly endless series of discoveries of questionable business practices have been unearthed.
But the most serious outcome of the hack to be claimed are the suicides of a number of its users. The Toronto police said there were two unconfirmed suicides related to the hack in their press conference. One suicide of a police captain from San Antonio, Texas (where I live) was initially reported to be due to the Ashley Madison hack, but later it became clear that the captain had never used the site and was not in the leak. More recently, a New Orleans pastor who had used the site committed suicide, leading the tech headlines. All of these deaths are tragedies, but demand a closer look, as the numbers may tell another story.
An analysis of the data dump by Gizondo shows there were 31 million male profiles and about 5.5 million female profiles. Just over 70,000 of the accounts were bots, which contacted over 20 million male profiles to encourage them to spend more money at the site. While it's impossible to know exactly how many real people are behind all those accounts, a number between 20 million and 37 million seems fair.
The suicide rate in the US is 12.8 per 100,000 people per year. It's slightly less in Canada, higher in Japan, and lower in the UK, so we'll just use the US figure as an approximation. If the Ashley Madison userbase matched the US population as a whole, we would expect 20 to 37 million * (10 / 100,000) or 2000-3700 suicides per year, 5.5-10.1 per day, just from random chance, in the absence of any hack. But the userbase did not match the US population as a whole. It was overwhelmingly male, and the suicide rate for males is far higher than the population as a whole; 19.4 per 100,000 per year in the US vs 5.2 for women. Taking this into account, we would expect 10.6 to 17.3 Ashley Madison user suicides per day. But that's not all; the suicide rate for children is extremely small; suicides sharply increase from the late teen years to about age 25. Ashley Madison's users were naturally also overwhelmingly adults, further increasing the statistical rate.
It's been about 3 1/2 weeks since the dump was released. In a random selection of 20-37 million people matching Ashley Madison's user demographics, at least 250 to over 400 people have committed suicide. If three Ashley Madison users have committed suicide, they would have a suicide rate less than 1/100th that of the population at large. What's going on? Is there a reason Ashley Madison users would have a lower rate of suicide following the breach? Could the breach have had the opposite effect on some people, perhaps causing them to confront their struggles openly instead of hiding from them or somehow otherwise reconsider their life and relationships? I don't know. But we have not seen nearly as many suicides as statistics would tell us to expect. So I won't be supporting the deadly hack story; there's just too much more we need to see. Suicide is a real problem we need to deal with; and so far, hacking has had little effect on it.