Adultery website Ashley Madison should have been using state-of-the-art security technology and cleansed its databases of sensitive information to protect its customers, a senior associate at a leading tech law firm has argued.
The attack is the latest high-profile hack to hit the headlines and follows just months after the attack on another hook-up site, AdultFriendFinder.com.
According to Mahisha Rupan, senior associate at Kemp Little, Avid Life Media (ALM) which owns AshleyMadison.com had a legal duty to protect users' information using tools that were in proportion to the sensitivity of the material being saved.
She also said that current and former users of the site could have grounds for legal action against the owners of the site.
The hackers who attacked the site and reportedly downloaded details of 37 million users said the data contained “secret sexual fantasies, nude pictures, credit card transactions, real names and addresses as well as employee documents and emails”.
Calling themselves the 'Impact Team', the hackers have demanded the Ashley Madison site, together with the associated site Established Men, be closed down. Failure to comply could result in the hackers releasing the confidential customer information which had been exfiltrated.
Given the nature of the information stored, Rupan told SCMagazineUK.com that “it is arguable that Ashley Madison should have been using state-of-the-art security technology”.
However, Rupan said it's not clear that ALM was using the best security. “Ashley Madison is actually quite elusive about its security techniques – it only states that it will be using ‘industry standard' technologies and practices, which inevitably begs the question, what industry is being referred to?” she said. “Most individuals would expect a higher standard of security to be used by Ashley Madison than other online services.”
In fact, ALM's communication over the hack hasn't been entirely clear. There was some confusion at Ashley Madison customer service yesterday, as The Guardian reported, over exactly how many customer records had been stolen. A Guardian journalist, posing as a user, was told by several different customer service representatives that only two records had been exfiltrated. Asked about this later, a company spokesman said that customer service “might be stepping a bit too far in terms of what they're saying”.
There is also a lack of clarity over Ashley Madison's paid-for “hard delete” service. The company charged users US users US$ 19 and UK users £15 if they wanted to have all their personal details removed from the site. This included photos, profiles and copies of their messages to other users.
The attacker stated that one of the motivations for the hack was to demonstrate that the “hard delete” option was a sham. They claimed that the stolen data contained details of users who had paid for a full delete. This apparently consisted of their purchase details including real name and address.
Michael Sutton, chief information security officer (CISO) at Zscaler, said: “The attackers are stating that while Ashley Madison customers have been charged US$ 20 for a 'full delete' of customer data, this is not actually occurring. The payment for the 'full delete' is recorded and the customer name and credit card information is retained, thus maintaining a record that the individual was a customer, thereby largely defeating the purpose of the payment.”
ALM has responded to claims that the paid-for “hard delete” option for users was not effective, saying, “Contrary to current media reports, and based on accusations posted online by a cyber-criminal, the ‘paid-delete' option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity. The process involves a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes.”
However, it's not clear based on statements issued by ALM whether the full-delete option also removed customers' payment details. SC has put in a request to ALM for comment on this.
As Ken Westin, senior security analyst at Tripwire told SC, it's almost impossible for a website that takes payments to remove all personally identifiable information. “These kinds of compromises expose an ongoing issue of websites and services which claim to protect privacy and anonymity in their marketing collateral,” he said. “The problem is in order for these services to operate and collect money, the anonymous profiles are usually connected to a real identity.”
Nonetheless, if it turns out that ALM was keeping payment information – or more information – it will raise questions about its data protection policies. Rupan said that, like all other data controllers, Ashley Madison has a legal obligation not to keep users' information for longer than necessary. “Given that the hackers accessed information about users who have stopped using the service and requested the ‘paid delete' functionality, Ashley Madison will need to have a strong and justifiable reason as to why it still held these users' information,” she said. “Making sure that you're not hoarding data and that you have in place clear data deletion practices are key components of being a good data custodian.”
Current and former users of the site could have grounds for legal action against ALM. “A key cornerstone of data protection laws is that companies should not be keeping data that it no longer requires,” Rupan said. “For those users that didn't opt for the paid deletion route, it is unclear why Ashley Madison would be keeping their profiles alive. Users could potentially have a claim under data protection laws that Ashley Madison was holding excessive amounts of out-of-date information. Additionally it is possible that the users would have a breach of contract claim against Ashley Madison for violating its own terms and conditions.”
Norman Shaw, founder and CEO at ExactTrak, commented: “Not fully deleting customer data on request is unforgivable, a breach of contract and having to pay for the privilege is ridiculous. If this happened in Europe next year, I shudder to think what the fine would be given by the new EU data protection regulation.”
Ironically, its users' desire for privacy might be ALM's salvation as people may be reluctant to expose themselves further. “I can't imagine too many people wanting the publicity of taking this to court – full delete or not,” said Gavin Reid, VP of threat intelligence at Lancope.
ALM chief executive Noel Biderman has suggested that the hack was an inside job. He told KrebsonSecurity.com that a fast-moving investigation had identified a suspect who had once done some work for the company. “We're on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I've got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
The attacker's message indicates that they knew the ALM director of security: “Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”
This admission that a former staffer might be responsible for the theft has led security experts to comment on the nature of the insider threat.
Centrify said it ties in with the results of its “State of the Corporate Perimeter” survey of 400 UK and US IT decision makers. It found that 49 percent of organisations “off-board” ex-employees and contractors the same day they leave while the other half said it could take a week or more to change or delete passwords for sensitive information.
Gavin Reid at Lancope said: “While some look at this a karmic justice, all signs point to yet another example of a ‘trusted Insider' and the devastating, organisation-destroying consequences that can accompany a successful hack. That being said, Avid Life Media's press release is well out of line calling this an act of ‘Cyber Terrorism'. It does raise concerns, however, that the data here could be combined with some of the recent .gov hacks providing some compelling leverage.”
Veracode's principal solution architect John Smith observed that “insiders” are not only your staff but also your trusted contractors. “As we see time again, third-party vendors, contractors and applications are given access to sensitive information or systems to the extent that they are an extension of the company itself. It's critical that CIOs or CISOs evaluate the entire ecosystem that connects to their businesses and plan risk mitigation strategies accordingly, regardless of whether a third-party is building or hosting applications, or contract IT work,” he said.
Idan Tendler, CEO at Fortscale, said: “For ALM, like many other organisations, dealing with threats like this is still a very green field. In just about every sales call we have, customers acknowledge right away that they are willing to mitigate insider threats and that they have such a programme in their work plan.”
Brian Chappell, director of technical services EMEAI at BeyondTrust, said: “Often too much emphasis is put on the external threat and the internal threat is largely ignored. The problem is that, however high the wall you build around your network, once someone is inside it's open season. We've got to dump the fortress mentality once and for all. Security is an exercise in layers, one approach will not fit every person or system in the organisation so layering the security is essential to allow individuals to have the appropriate access, the least privilege necessary to be productive in their work. The tooling is there.”
Thierry Karsenti, technical director at Check Point, told SC: “Given the sensitivity of the data, it does raise the question of why access to unencrypted personal identifiable information was allowed. Any organisation holding such data should consider encryption, and deploying data loss prevention technology as a minimum.”
Dr Chenxi Wang, VP of cloud security and strategy at CipherCloud, said: “This hack may just kill Ashley Madison. The hackers are demanding the company to shut down [the site] or face public release of the very personal details of all of its 37 million customers. This puts AM between a rock and a hard place if it continues to operate.”