Following last month's hack, adultery website Ashley Madison has had the names, addresses, phone numbers, encrypted passwords and credit card transaction details of around 32 million of its 37 million registered customers posted online on via the darkweb. Hacker group the Impact Team has posted 9.7 gigabytes of data, including most emails and many credit card details in claimed retaliation for the site allegedly claiming to delete customer details for a fee then not doing so.
Thirty days ago Canada-based parent company Avid Life Media (ALM) had been given a month by the hackers to take down its adultery site Ashley Madison and dating site Established Men or user details taken from its compromised user databases, source code repositories, financial records and email system would be made public.
Wired reports that this data is now available online via the encrypted Tor browser on an Onion address, meaning the data is distributed on the darkweb, and so cannot be taken down in one fell swoop.
A notice from the hackers said “time's up” and accused ALM of lying to its customers (a reference to its service that allows members to erase their profile information for a US$ 19 fee), telling them to “Prosecute them and claim damages.” According to the hackers ALM made US$1.7 million in revenue in 2014 from the full delete service to remove site use history and personally identifiable information from the site, but they say users' payment details are not in fact removed.
Avid Life Media issued a statement describing the hack as "an act of criminality” saying it had "now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data".
"The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world," the statement said.
The company had planned a public floatation, but the nature of the business, being hugely reliant on trust, now largely lost through the breach, means this is unlikely to happen, making it a dramatic example of the potential losses caused by hackers. And while it may not be a mainstream conventional business, as a slew of commentators (below) note, the issues nonethelless have wider implications that should not be distracted from by the service being offered.
Blue Coat, a cyber-security technology company investigating the breach, believes there is certainly more to come from ALM and in an email to SC, noted that this could include:
Reselling personal data to other cyber-attackers, noting that this data is most likely to be amongst some of the most valuable data set compromised so far. If it is worth US$100 to ‘go away' and there are 37 million users (at US$3.7 billion), this could be one of the largest cyber-heists in history.
Financial or non-financial blackmail of Ashley Madison and its customers: Not all of the personal data of Ashley Madison users has been released, therefore cyber-attackers may go directly to the management, or to the individual users of Ashley Madison and ask for a payment for the release/deletion of personal data. Blackmail can also happen through non-financial means by coercing victims into working with the attackers as an insider.
Social Engineering to take down bigger business targets: Attackers can identify high value targets who are members of Ashley Madison and collect widely available social media data to impersonate the victim over a long period. If successful, attackers can gain unrestricted access to corporate networks and sensitive work information.
Commenting in an email to SCMagazineUK.com Keith Poyser, GM EMEA at Accellion, agrees that: "Whilst Ashley Madison was hacked by sophisticated cyber-criminals, the lesson to be learnt is that no business can afford to take cyber-security and data protection lightly. We have seen breach after breach in the last two years, from Carphone Warehouse to Target and Sony, to name a few. This is a cyber-arms race with criminal techniques constantly evolving, which means defence against attack must also evolve.
“With the number and severity of breaches increasing every year, it's understandable that consumer confidence in data security is at times low. But steps can be taken to win this trust back and reduce the risk of further breaches while protecting reputation and market position.
“Companies cannot afford the reputational loss that breaches cause – prevention makes far better sense, which means investment in security at all layers. Most importantly, cyber-security must become part of any business culture and it must touch every segment of the work that a business does. Many businesses have solid network layer defences, asset layer management and protection, and personnel education on security. Yet, many more still use non-secured, public cloud services or leave their content with inadequate protection. Content is the new battleground. Cyber crime will only become more sophisticated and while web users will never feel completely safe, the onus is on the gatekeepers of their data to do everything in their power to keep it under lock and key.”
George Anderson, director at cybersecurity firm Webroot adds: “This is definitely a unique cyber-criminal act, one that I'm sure is very controversial amongst readers. I don't think this is just a sophisticated ‘kiss ‘n tell'. There is a desire to hurt people here and that's sick as well as being criminal. Whilst readers' morals may conflict, either seeing this group of hackers as good or bad guys, the fact remains that the Impact Team illegally obtained sensitive personal info. I'd imagine the fall-out is divorces, firings and blackmail – really personally malicious and upsetting stuff. There are no moral judgments on this except the immorality of hackers. So the ‘what now?' is pretty nasty and the site users will probably be considering a class action for negligence.
“All companies, especially those dealing with proprietary information or customer data – must balance their security resources against their risk tolerance, and look at threat intelligence solutions that provide them with the greatest scope of protection.
“For the consumers, when posting personal information online, despite the best security of you and the site, it is good to make sure you're okay with this data becoming public record. If not, consider not posting it.”
Dr Chenxi Wang, VP of cloud security & strategy at CipherCloud suggests that: “Ashley Madison should have halted operations rather than betray the confidentiality of millions of customers. The hackers rightly pointed out that parent company ALM failed to protect customers, the bottom line for doing business. 9.7 gigabytes is a lot of customer names, credit cards and intimate details about individuals. The real victim is not Ashley Madison, it is the customers and their families, who are forced to suffer humiliation and pain. They could have been spared if Ashley Madison had done the tough but right thing. But maybe we should not be surprised – trust is not the strong suit for a company that makes its money by encouraging people to lie and cheat.”
Gary Newe, Technical Director, F5 Networks notes how this is still a breach of online privacy and another wake up call for consumers and businesses alike. Furthermore, the news is a reminder of how vital it is that organisations focus on the data they're trying to protect if they want to keep hackers at bay. He comments: “The news of this hack only shows how the rate of data breaches are showing no signs of slowing down. Is it even possible to keep our online data secure? If you haven't been targeted yet, you've been lucky.
“But if organisations don't act now, hackers will continue to find new ways to compromise their systems and steal their data. Unfortunately, there is no silver bullet to solve the issue so many are now facing. However, organisations should start by looking at what they're trying to protect and what it is hackers might be looking to compromise. Increasingly, the vectors of these attacks are multi-threaded. For example, while a DDoS attack might be ongoing, it is often designed to distract the security and IT team whilst hackers attack your applications surgically elsewhere to gain access to your data.
“It has been interesting to see how the industry is split around the morals of this hack. Regardless of your views on Ashley Madison's customers and the service, this is an unacceptable breach of online privacy. If we start separating hacks into those that are acceptable and those that are not, where does it stop? If we want to keep businesses and consumer data safe from hackers, we need to be on the same side of the fence, rather than deciding whether a hack is moral or not."
Darren Anstee, chief security technologist at Arbor Networks adds in an email to SC: “This hack on Ashley Madison is the latest in a long line of cyber-attacks we have seen over the last six months. The fact that hackers were able to access not only users' records but the financial records of Avid Life Media, extracting a significant amount of data, is testament to the fact that companies need to be doing more as threats evolve. Although the (in)fidelity of the data has yet to be confirmed, organisations do need to invest more in their abilities to proactively identify threats that are already inside their networks, identifying unusual activities and trends in traffic.
“In today's threat landscape it's essential for any target that has data that maybe valuable to an attacker to have the ability to detect, validate and contain threats quickly – attackers will make it past perimeter defences, and we should expect this, what we need to do is stop them before they achieve their goals. This isn't all about technology – although having the right tools helps – people and process are key.”