Thirty-seven million records is a pretty paltry number to qualify for entry into the Data Breach Hall of Shame. It has nothing on the 130 million of Heartland Payment Systems or the 110 million of Target, for example. But in years to come, the attack in July 2015 on Avid Life Media (ALM), owner of infidelity site Ashley Madison, may be seen as a tipping point in how we treat digital privacy and the security of information shared with online service providers.
Many of the details have yet to emerge at the time of writing, but even at this early stage, it’s clear that the incident should force security managers to re-examine their cyber-defense strategies. Netizens, meanwhile, will want to take a fresh look at how much data they share online.
The Story So Far
On Sunday 19 July, Ashley Madison’s homepage was briefly defaced with a message from a hacker or group calling itself The Impact Team, alongside a link to a small sample of the hacked data. The hackers claimed to have obtained personal data on the firm’s 40 million users – across Ashley Madison and sister sites Established Men and Cougar Life – including financial information and customers’ sexual fantasies. Also stolen, according to Brian Krebs, were “maps of internal company servers, employee network account information, company bank account data and salary information.”
The hackers’ beef seems to have been ALM’s ‘full delete’ privacy service, which gave users the option of spending $19 to remove PII and account usage history. The Impact Team claimed this promise was a “complete lie” which had netted the firm $1.7m in revenue in 2014. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” they wrote.
The hackers continued: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
ALM responded a day later that it had closed “unauthorized access points” and invoked the Digital Millennium Copyright Act (DMCA) to take down any personal information already leaked online.
The site owner added that it was offering the full delete option to all customers for free, claiming it did work: “Contrary to current media reports, and based on accusations posted online by a cyber-criminal, the ‘paid-delete’ option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.”
The Breach
At the time of writing it still isn’t clear exactly how the hackers managed to infiltrate ALM’s network and steal customer data, although signs point to an insider. For example, ALM CEO Noel Biderman is quoted by Krebs as claiming: “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
The attackers also apologized to director of security, Mark Steele, claiming: “You did everything you could, but nothing you could have done could have stopped this.”
However it was caused, the incident should serve as a reminder to CISOs of the importance of understanding their respective businesses, according to Trey Ford, global security strategist at Rapid7.
“Over-leveraged security program tend to focus their energy on protecting regulatory data centers of gravity— ask any executive where their PCI/PII/PHI data lives, and they’ll have a pretty good idea,” he tells Infosecurity.
“The Ashley Madison breach brings into focus the need for CISOs to understand the workings of their business, specifically what data is collected, where it resides, and how it is stored, accessed and logged. There is a serious difference between understanding the sensitivity of information, and allocating budget and human resources to protecting it, especially for unregulated data sets.”
The Implications
The potential impact on ALM and its customers is obviously pretty severe in this case. The Canadian firm was planning an IPO in London later this year which it was hoped would raise around $200m, following bumper sales of $115m in 2014. It can be reasonably expected that this will not happen. In fact, whatever the cause of the data breach, the future of the firm itself is now on a knife edge. For an industry where the privacy of user data is sacrosanct, an incident like this could be catastrophic in terms of brand reputation and customer trust.
The impact on customers of the site could also be grave. The personal information stolen included financial data which could be used to commit identity fraud. But unusually in a data breach case, the very fact of being identified as among those affected could ruin an individual’s personal life. For that reason the data is a prime target for blackmailers, as well as those who could use the info to make follow-up spear-phishing attacks more effective.
Experts were divided over whether victims could claim compensation if they are ‘outed’ as part of the breach.
“In this context, merely being named as having been in the database, not to mention leakage of more intimate details and photos, can have grave implications for those involved. I am sure many individuals are already suffering grief and anxiety as they watch the events unfold,” International Association of Privacy Professionals vice president of research and education, Omer Tene, tells Infosecurity.
“Courts have begun to recognize that this type of harm too can merit compensation.”
Hogan Lovells counsel Mac Macmillan argues that, as it stands, UK Ashley Madison customers would not have legal remedy under the Data Protection Act, as ALM is a Canadian company without a major base in the United Kingdom. This might change with the coming EU General Data Protection Regulation, although it would have to be proven that the firm didn’t at the time have sufficient “technical and organizational security in place,” she tells Infosecurity. The latter would include things like ensuring staff with access to customer data are properly vetted.
Lessons Learned
According to Ford, the incident should serve as a cautionary tale for security managers.
“CISOs tasked with protecting privileged, personal, and highly sensitive information should implement forced password rotations, customer notifications, a clear privacy statement, and immediately acknowledge an incident, with a statement of what specific data was impacted so users can work to protect themselves quickly,” he argues.
For Tene, the incident is proof that firms “must treat individuals’ data as a valuable but also potentially toxic asset.”
He explains: “Even before legal implications, a data breach or misuse of personal information can seriously weigh down trust, reputation and brand, directly impacting the bottom line and subjecting senior management and the board to heightened risks. Between the FTC, FCC, state AGs and private litigants, including class action lawyers, enforcement risks are high and rising, as this area garners daily media attention.”
“We recommend organizations institute comprehensive data governance programs accounting for both privacy and data security, and including vendor management, data retention, and responsiveness to individual rights.
“Just as a car manufacturer can’t afford to sell a vehicle with faulty brakes, a site dealing with super sensitive information cannot afford to have subpar privacy” Mac Macmillan, Hogan Lovells
According to Hogan Lovells’ Macmillan, the case itself is unlikely to represent a tipping point in the way individuals or organizations regard data privacy and security as it simply isn’t relevant to enough people – despite the large number of records breached. A senior internal auditor at UK supermarket chain Morrison’s was jailed for eight years in July after posting the personal and financial details of 100,000 employees online. However, this case received relatively little press attention because of it wasn’t particularly salacious, she argues.
“Ashley Madison hit the headlines because of the subject matter, but equally a lot of people will disassociate themselves from it because it’s not close enough to home,” she adds. “Yet they’re not thinking about the fact that every time they wear a fitness tracker they’re sharing data without understanding the implications.”
But Tene believes the case should force businesses and governments to look more closely at what safeguards they have in place to minimize privacy and security risks.
“This includes appointing dedicated officers to oversee data management, putting in place data governance programs, and using technological, administrative and legal safeguards to minimize risk,” he argues.
“Businesses that fail to do so will sooner or later bear the costs. In particularly egregious cases, they’ll be driven out of business. Just as a car manufacturer can’t afford to sell a vehicle with faulty brakes, a site dealing with super sensitive information cannot afford to have subpar privacy and infosec safeguards.”
KPMG cybersecurity practice senior manager Matt White agrees that online providers need to up their game, as incidents like this and the Adult FriendFinder attack in May become more widespread.
“It is alarming how relatively immature user awareness is when it comes to protecting their data. Users are yet to develop an almost ‘hardwired’ level of security that we see in other areas of their live. For example, most of us are brought up to always wear a seat belt or to lock our front doors to prevent burglaries,” he tells Infosecurity.
“A certain level of awareness will come, but we are not at that stage yet, therefore companies need to ensure that they take every measure possible to protect their users and train their staff to protect the company’s data assets against hackers.”
Ashley Madison: What Happened When?
July 19: Brian Krebs reveals that The Impact Team published around 40MB of data stolen from Avid Life Media (ALM), including user card details and company documents. A statement from the group threatens to release data on all 37m users unless the site is closed.
August 18: The hackers post a 9.7GB file to the dark web including personal details of the site’s users. A day after, the data spills online, while ALM tries to take it down by issuing copyright notices.
August 20: Second data dump appears, this time 19GB in size.
August 21: Canadian law firms launch $578m class action suit against ALM on behalf of Canadians who signed up to the service, alleging their privacy was not properly protected by the firm.
August 22: Third trove of data released online including emails allegedly taken from ALM CEO Noel Biderman’s personal account, appearing to show he cheated on his wife.
August 24: ALM announces $378,000 reward for info leading to arrest of hackers behind The Impact Team.
August 25: It emerges that online scammers are using the news of the hack to extort and defraud ALM customers, or else trick them into downloading malware.
August 26: Brian Krebs claims hacker could be linked to Twitter user Thadeus Zu.
August 28: ALM reveals CEO Biderman has resigned, effective immediately.
August 31: ALM claims Ashley Madison is still attracting users, trying to quash speculation that it has grossly exaggerated the number of unique female users who actively use the site.