The hackers behind the Ashley Madison breach have reportedly dumped a lot more data online.
“Hey Noel, you can admit it's real now,” reads a message posted – along with 20GB of data – to the same dark web site with the same PGP key used in the previous data dump, Motherboard reported
Noel Biderman is CEO of Ashley Madison's parent company Avid Life Media. This data dump may focus on corporate information and Biderman's email rather than customer data, Motherboard said, adding that it is now going through the data.
Included in the data is site source code, making the site vulnerable for as long as it is operational.
On Wednesday, ALM said on AshleyMadison.com, “No current or past members' full credit card numbers were stolen from Avid Life Media. Any statements to the contrary are false. Avid Life Media has never stored members' full credit card numbers.”
Ashley Madison did not immediately respond to a SCMagazine.com request for comment.
Among follow up stories, there has been at least one divorce cited, and one woman was told live on air on an Australian radio phone-in programme that her husband's name was among those in the customer lists revealled - she then hung up. Gay and bisexual users in countries where homosexuality is illegal were reportedly having their lives put at risk due to breach.
Customers using work emails, including defence department numbers, were among the other concerns raised. In an email so SCMagazineUK.com Ed Macnair, CEO at CensorNet commented: "It is worrying to hear that some of the 36 million people involved in the Ashley Madison data breach, had signed up to the dating website using their work email addresses. It is easy to understand why an individual would choose to use their work address – to avoid the risk of a partner on the prowl catching them out. However, what's astonishing is that IT departments are allowing sites such as Ashley Madison through their web filters. With so many civil servants, including employees from the Ministry of Defence involved, it raises serious questions about government security."
Cindy Truyens, Managing Director at software quality specialist, SQS says that the Ashley Madison data breach is not just a data breach, noting in an email to SC that it is "a very stark reminder of the personal and business risks associated with providing and managing customer data, and suggests that the lack of software quality processes within organisations can, and will, affect consumers – something that brands should desperately be avoiding."
Of immediate concern is the potential costs, not just of remediation and lost reputation, but legal suits from customers, with Luke Scanlon, technology lawyer at Pinsent Masons, telling SC: “The interesting thing about this incident is that recent court decisions in the UK have been leaning towards the view that a claim can be brought when no financial loss occurs but where a person experiences distress as a result of an data breach. In the case of Ashley Madison, which is reported to have 1.2million subscribers in the UK alone, if each were to try to claim for £1,000 in compensation Ashley Madison could see itself incurring costs of up to £1.2 billion. This event reinforces the need for businesses to not just think about what is mandatory by law in information security, but what is best practice.”
This article was first published in our sister publication SC Magazine, reproduced with additional material from SC Magazine UK.