Named after two non-connected female forenames by male founder Noel Biderman, Ashley Madison has more than 37 million users across 46 countries and generates more than £64.3 million per year in subscription fees. The site is thought to boast as many as 1.2 million British members.
The Ashley Madison homepage displays an SSL Secure Site logo and a Trusted Security Award logo.
Unprovoked criminal intrusion
Website operators at Ashley Madison have confirmed that an “unprovoked and criminal intrusion into our customers' information” has taken place.
“We were recently made aware of an attempt by an unauthorised party to gain access to our systems. We immediately launched a thorough investigation utilising leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident,” stated Avid Life Media, owners of Ashley Madison.
Avid Life Media states that it has been now been able to secure its sites and close the unauthorised access points.
Security writer Brian Krebs details more of the mechanics of the hack: “Besides snippets of account data apparently sampled at random from among some 40 million users across ALM's trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.”
Why did they do it?
Writing in The Telegraph online, Sophie Curtis gave a rationale for the attack.
“The Impact Team said it decided to publish the information in response to alleged lies Avid Life Media told its customers about its ‘full delete' feature, which allows members to completely erase their profile information for a US$19 (£12) fee,” wrote Curtis.
John Smith, senior solutions architect at Veracode, told SCMagazineUK.com to say that whilst this is just one in a long line of customer data hacks, the secretive nature of Ashley Madison and its especially intimate customer information means that this breach is particularly worrying to the site's subscribers.
“Whilst Ashley Madison sold a service to its users which promised secure deletion of their personal data, it seems in reality that it did not completely purge all of that data from all systems. This highlights the challenges that organisations face when handling personal data, which may be distributed across disparate systems, and further reinforces the need for strategic and systematic thinking when approaching the security of that data,” he said.
Pat Clawson, CEO of the Blancco Technology Group commented: “I think the biggest concern here has more to do with people believing they had paid for their sensitive information to be fully wiped, when that simply wasn't the case. Sure, users' data may have been ‘deleted' but was it destroyed? Clearly not.
"This breach is exactly why it's so critical that both businesses and consumers understand the difference between deleting data and destroying data. The two are not the same and mistaking one for the other can put companies, their employees and their customers into serious trouble. As a rule of thumb, remember this: Deleting is recoverable and destroying is not recoverable.
"It's irresponsible for a company to not deliver on what they promise their customers, and hopefully this hack serves as motivation for companies to take a hard look at their IT security policies and processes to ensure their information, and their customers', are 100 percent safe. Period.”
A press release emailed to SC by Ashley Madison reports Avid Life Media's statement that: "Following the earlier unprovoked and criminal intrusion into our system, Avid Life Media immediately engaged one of the world's top IT security teams to take every possible step toward mitigating the attack.
"Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the all posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers' information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.
"Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available."
Veracode's Smith says that as businesses collect and hold personal data they have a ‘duty of care' to protect that information against a wide range of threats, whether it is a malicious insider (as may be the case here), an external attacker or accidental release of code in some form.
Don't say security, say ‘immune system'
Director of technology at ‘enterprise immune system' company Darktrace is Dave Palmer. Speaking to SC this week Palmer says that whether you call this ‘cyber-vandalism' or an ‘insider attack', the reality is that the threat is already inside.
“The company admits that the security tools that they had in place did not prevent the attack. Companies need to get real and take this on board, if they don't want to be the next victim. It means embracing an immune system approach [a term his own firm popularises] which is going to highlight the emerging signs of compromise, before damage is done – and abandoning the illusion that you can block all threat,” he said.
Palmer adds, “Avid Life Media is right to say that no online asset is safe today. It now needs to work out how it stops it happening again. Ultimately, it comes down to visibility. Did the team have visibility of its networks that would have shown them that one insider behaving abnormally? It looks like the answer is ‘no'. They need to resolve this fast.”
Avid Life Media also operates sites called Cougar Life and Established Men, both of which appear to be intact and unaffected by this hack.