QA | 27 August 2015
Last month Ashley Madison, a website offering spouses a way to cheat, was hacked. Impact Team, the hacker group responsible, gave the website a month to close down or they threatened to publish the data they had stolen.
The month passed, the website was still running, and last week the hackers started releasing the data via the Dark Web. First the names, email addresses and financial transaction data of 33 million members were published, later came internal company emails, website source code and network information.
Like previous hacking data dumps with Target and JPMorgan the issues for those dealing with exposed data range from worries of password protection and phishing to fraud and identity theft. The difference with this hack is the personal and secretive nature of the user data. There are already stories emerging of users being exposed, getting into marital trouble, and even suicides. Having your details on the database may mean you registered years ago when you were single and have done nothing salubrious, conversely you could have been a dedicated cheater, the data does not make that distinction and nor may your better half.
The additional issues for users is the likelihood of blackmail; there are a large number of .gov or .mil (military) email addresses on the database, or extortion; threatening emails asking for bitcoins from users are already doing the rounds. Additionally this type of data breach is perfect ground for “social engineering” phishing attacks; your spouse receives an email giving “proof” of your Ashley Madison account then she (or he) opens the attachment and infects their own computer with malware. It is also likely that this type of phishing email will occur with no link to actual Ashley Madison user accounts or email addresses.
For Avid Life Media, the company that owns Ashley Madison this episode is nothing less than disastrous. Not only has the hack destroyed trust in a service that relies on it, the internal business processes has been exposed for all to see. Those appear to show that at best the company misrepresented its client base (they claimed they had 50/50 women to men, it was actually more like 14/86) at worse they fraudulently created fake female accounts to trick members into signing up and paying.
Worse still, when a member wanted their details removed from the website they were charged $19 for the inconvenience (something which most other websites would be vilified for doing) but it also appears those members details were not in fact removed. This bad practice is the reason given by the hackers for stealing and exposing the data in the first place.
There are already a number of class action law suits in the making against Avid Life Media with regards to the lack of removing “deleted” users and by not looking after sensitive users data properly. No doubt Ashley Madison are spending large amounts of money attempting to track down the hackers and bring them to justice, however, catching them will do little to help mitigate the damage. Attempting to keep the business running should probably be the priority, which seems increasingly difficult now it has lost so much trust in light of everything that has come out.
What this episode shows is the power a motivated and advanced hacker group can have over the future of a company, especially one that relies on data and keeping that data secret as a business model.
There are already wider questions being asked about just how much data we give away to companies about ourselves, and how dangerous that can be given hackers ability to easily gain access and expose it.
No matter what happens to Ashley Madison there will be even bigger hacks in the future exposing more user data. How little we care about terms and conditions with the mandatory “click to accept” rule has gone unchanged for a long time. Perhaps more hacks of this nature will convince us of what corporations and criminals have long known; our personal data is worth something and is important enough to hold onto.