What Does The Security Industry Really Think About The Ashley Madison Hack?
TechWeekEurope collates the views of some of the technology industry’s biggest names
The online infidelity community was shocked this week after hackers began posting data from millions of users at online cheating site Ashley Madison after apparently gaining access to the company’s internal databases.
As well as making a lot of its 37 million users very worried about their life choices, the hack also raised worrying implications for the many online companies that store a large amount of data online. So TechWeekEurope asked the security industry what it thought about the hack, and what needs to be done for other companies to avoid such an attack.
Marta Janus, security researcher, Kaspersky Lab
“The news that Madison Ashley has been hacked highlights the need for all companies to enact security measures to prevent cyberattacks and therefore protect their customers’ personal data. Users that are entrusting private information into the care of a website should be safe in the knowledge it is kept in a secure manner and all companies who handle private data have a duty to ensure it.
Any security breach resulting in a leakage of private data is equally bad – no matter if the website is considered “unethical” or even illegal – as the affected users might not necessarily be guilty of any illegal/unethical activity. In the case of Ashley Madison hack, the leaked data contains information like real names, addresses and the credit card details, which makes it quite a serious issue, as once it’s public, cybercriminals could use it to steal money.
There are a number of reasons why a company could become the victim of this kind of attack, such as financial, political or as appears to be the case here, ethical. What is important is that companies understand that anyone can be targeted by cybercriminals, and whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures to be taken in order to provide thorough protection. These measures include running fully updated software, performing regular security audits on the website code and penetration testing the infrastructure. The best way to combat these types of cyberattacks is at the beginning; by having an effective cybersecurity strategy in place before the company becomes a target.”
Chenxi Wang, VP of cloud security and strategy, CipherCloud
“This hack may just kill Ashley Madison. The hackers are demanding the company to shut down or face public release of the very personal details of all of its 37 million customers. This puts AM between a rock and a hard place if it continues to operate. It’s unthinkable for any business, especially one that runs on discretion and trust, to betray its customers’ confidentiality.
Trust is essential for e-commerce to work. But already, we’re seeing multiple areas where the company’s credibility for trust has been broken. It claims to “invest in the latest privacy and security technologies” yet the breach uncovered extensive information – names, credit card numbers, nude photos, etc. And a breakdown in the company’s own technology is evident. For example, the profile delete service – which Ashley Madison charged $19 for – failed to work.
The deeply personal nature of this hack hits home. As extramarital affairs come to light, the number of victims will multiply to include affected families. The longer the company continues to operate, the more the damage done.”
Ken Westin, senior analyst, Tripwire
“These kinds of breaches can be quite disastrous for individuals who signed up for web services with the expectation of confidentiality and privacy. Even if users of the site had paid a fee to remove their profile and history, their personal information was still compromised. Unfortunately, in these situations even if aliases were used the profile is still linked to real names through credit card transactions, emails and other pieces of data. If this information is released it could expose the 40 million users of the various online entities, and it has the potential to compromise much more than just email addresses and credit card numbers. Information associated with adult services has the potential to ruin lives, be used for blackmail or even espionage purposes if government officials are involved.
These kinds of compromises exposes an ongoing issue of websites and services which claim to protect privacy and anonymity in their marketing collateral, or in this particular service it was the key feature. The problem is in order for these services to operate and collect money, the anonymous profiles are usually connected to a real identity. The amount of information these services collect regarding activity and interactions with the website such as IP addresses, usernames, email addresses, browsing history and other information increases the stakes, particularly if this data is archived instead of deleted.”
Michael Sutton, chief security information officer, Zscaler
“It is highly likely that scammers who have had nothing to do with the breach will take advantage of it. Scammers are likely to see an opportunity to profit by sending random ransom emails. With 37 million accounts compromised it won’t be difficult to identify people that are indeed Ashley Madison customers and are willing to pay a ransom in the hopes that it will maintain their anonymity.
The attackers are stating that while Ashley Madison customers have been charged $20 for a ‘full delete’ of customer data, this is not actually occuring. The payment for the ‘full delete’ is recorded and the customer name and credit card information is retained, thus maintaining a record that the individual was a customer, thereby largely defeating the purpose of the payment.”
Mahisha Rupan, senior associate, Kemp Little
“Legally, Ashley Madison has to ensure that its users’ information is protected using security measures that are in proportion to the sensitivity of the personal information being protected. Given that the hackers claim to have collected “secret sexual fantasies, nude pictures, credit card transactions, real names and addresses as well employee documents and emails”, it is arguable that Ashley Madison should have been using state-of-the-art security technology.
“However Ashley Madison is actually quite elusive about its security techniques – it only states that it will be using “industry standard” technologies and practices, which inevitably begs the question, what industry is being referred to? Most individuals would expect a higher standard of security to be used by Ashley Madison than other online services. Another legal obligation is that Ashley Madison should not be keeping its users’ information for longer than necessary.
Given that the hackers accessed information about users who have stopped using the service and requested the “paid delete” functionality, Ashley Madison will need to have a strong and justifiable reason as to why it still held these users’ information. Making sure that you’re not hoarding data and that you have in place clear data deletion practices are key components of being a good data custodian.
Unusually Ashley Madison offers two services for users leaving the service; they can simply cancel their subscription or they can cancel and pay for the “complete profile removal” option which promises to remove the existence of the users’ profile, including any messages and photos sent.
A key cornerstone of data protection laws is that companies should not be keeping data that it no longer requires. For those users that didn’t opt for the paid deletion route, it is unclear why Ashley Madison would be keeping their profiles alive. Users could potentially have a claim under data protection laws that Ashley Madison was holding excessive amounts of out-of-date information. Additionally it is possible that the users would have a breach of contract claim against Ashley Madison for violating its own terms and conditions.”
Dave Palmer, director of technology, Darktrace
“The Ashley Madison breach is interesting because it was carried out by a person known to the company, who had privileged access and was clearly looking to seriously debilitate the company. And yet their activities were not spotted early enough to prevent the serious situation that the company now finds itself in.
Whether you call this ‘cyber vandalism’ or an ‘insider attack’, the reality is that the threat is already inside. The company admits that the security tools that they had in place did not prevent the attack. Companies need to get real and take this on board, if they don’t want to be the next victim. It means embracing an ‘immune system’ approach which is going to highlight the emerging signs of compromise, before damage is done – and abandoning the illusion that you can block all threat.
Avid Life Media are right to say that no online asset is safe today. They now need to work out how they stop it happening again. Ultimately, it comes down to visibility. Did they have visibility of their networks that would have shown them that one insider behaving abnormally? It looks like the answer is ‘no’. They need to resolve this fast.”
Are you a security pro? Try our quiz!