Following last month's hack, adultery website Ashley Madison has had the names, addresses, phone numbers, encrypted passwords and credit card transaction details of around 32 million of its 37 million registered customers posted online on via the darkweb. Hacker group the Impact Team has posted 9.7 gigabytes of data, including most emails and many credit card details in claimed retaliation for the site allegedly claiming to delete customer details for a fee then not doing so.
Thirty days ago Canada-based parent company Avid Life Media (ALM) had been given a month by the hackers to take down its adultery site Ashley Madison and dating site Established Men or user details taken from its compromised user databases, source code repositories, financial records and email system would be made public.
Wired reports that this data is now available online via the encrypted Tor browser on an Onion address, meaning the data is distributed on the darkweb, and so cannot be taken down in one fell swoop.
A notice from the hackers said “time's up” and accused ALM of lying to its customers (a reference to its service that allows members to erase their profile information for a US$ 19 fee), telling them to “Prosecute them and claim damages.” According to the hackers ALM made US$1.7 million in revenue in 2014 from the full delete service to remove site use history and personally identifiable information from the site, but they say users' payment details are not in fact removed.
Avid Life Media issued a statement describing the hack as "an act of criminality” saying it had "now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data".
"The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world," the statement said.
The company had planned a public floatation, but the nature of the business, being hugely reliant on trust, now largely lost through the breach, means this is unlikely to happen, making it a dramatic example of the potential losses caused by hackers. And while it may not be a mainstream conventional business, as a slew of commentators (below) note, the issues nonethelless have wider implications that should not be distracted from by the service being offered.
Blue Coat, a cyber-security technology company investigating the breach, believes there is certainly more to come from ALM and in an email to SC, noted that this could include:
Reselling personal data to other cyber-attackers, noting that this data is most likely to be amongst some of the most valuable data set compromised so far. If it is worth US$100 to ‘go away' and there are 37 million users (at US$3.7 billion), this could be one of the largest cyber-heists in history.
Financial or non-financial blackmail of Ashley Madison and its customers: Not all of the personal data of Ashley Madison users has been released, therefore cyber-attackers may go directly to the management, or to the individual users of Ashley Madison and ask for a payment for the release/deletion of personal data. Blackmail can also happen through non-financial means by coercing victims into working with the attackers as an insider.
Social Engineering to take down bigger business targets: Attackers can identify high value targets who are members of Ashley Madison and collect widely available social media data to impersonate the victim over a long period. If successful, attackers can gain unrestricted access to corporate networks and sensitive work information.
Commenting in an email to SCMagazineUK.com Keith Poyser, GM EMEA at Accellion, agrees that: "Whilst Ashley Madison was hacked by sophisticated cyber-criminals, the lesson to be learnt is that no business can afford to take cyber-security and data protection lightly. We have seen breach after breach in the last two years, from Carphone Warehouse to Target and Sony, to name a few. This is a cyber-arms race with criminal techniques constantly evolving, which means defence against attack must also evolve.