What the Ashley Madison Hack Taught Us

On July 15, a hacker group calling themselves “The Impact Team” announced online that it had breached infamous dating site Ashley Madison along with a sister property, Established Men. In a manifesto, the group demanded that its parent company, Avid Life Media, shut these services down or risk exposing the private information of its end-users released to the public.

On August 18, the group made good on this threat and released over 60GB worth of this data. Two days later, the group released a second dump, this time focusing on ALM’s internal corporate documents and property, including financial information, proprietary source code, and even the personal email of its now-former CEO, Noel Biderman.

While the full extent of the damage to its users and ALM may never be realized, the hack exposed the harsh reality of having our personal private information, in the hands of others, become public for all to see.

Most companies that operate on the Internet are, in some capacity, aware of the dangers from external malicious forces. Recently, major security vulnerabilities such as Heartbleed and Shellshock received media attention due to their seriousness. While businesses scramble each time to patch these vulnerabilities, few spend sufficient time addressing another important vector—their own people.

The day after the initial announcement of the ALM breach, its CEO, Mr. Biderman, made a statement insinuating that the hack may have originated from an agent inside the corporation: “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

Whether true or not, it still highlights this very real threat. For the most part, organizations follow a rigorous hiring process to select the right people, and by virtue of working together, establish trust. However, if an employee were to go “rogue”, would they know? How well protected are their internal systems?

This is not to say you shouldn’t trust your employees or colleagues—you should. At the end of the day it’s all about managing risk. Organizations need to take the time to fully evaluate the consequences that security breaches can bring. Even Avid Life Media at some point thought about this. In an internal self-assessment document, ALM’s CTO, Trevor Sykes, outlined that their primary responsibility is the “[p]rotection of personal information” and their major risks were “[d]isgruntlement in teams,” and “[r]etention/[m]otivation/[s]
ecurity concern[s]” due to “bad internal actors.” He further mentions that “[m]ore audit capabilities might mitigate” these risks.

When dealing with information security, the payment card industry has a leg up on the rest. This industry comprises all major credit, debit, and other payment-related players. Any business that deals with online payments or point-of-sale devices in some way has to adhere to PCI’s data security standard.

RELATED: Ashley Madison is Screwed Regardless

While the standard is focused on protecting financial data, the same principles can be adopted for protecting private information. In addition to mandating specific security practices, PCI DSS spends time focusing on mitigating internal risks. The concept of role-based access controls (RBAC), whereby employees are segmented based on their roles, is a particularly good policy to have, regardless of the industry. Under PCI DSS, no one person can have the keys to the whole kingdom. When PCI DSS is properly implemented, an attacker can inflict limited damage without involving others.

Notably absent in the Avid Life Media dumps were the credit card numbers of its users. The dump only contained partial credit card and serial numbers. The company never actually stored credit card data. This is likely a result of an early decision by it’s owners to use a 3rd party provider for storage to limit their scope of responsibility that PCI DSS demands—a testament to the standard’s effectiveness.

The trouble with personal private information comes down to ownership. In the case of the PCI, the companies actually own the credit cards tucked away in your wallets. It’s in their best interest to safeguard their own property. On the other hand, private information, by definition, has only one owner—you. No one body has more vested interest in safeguarding your information as you do.

So as an end-user, how can you obtain reasonable assurance of security from organizations asking for your precious data? Unfortunately, there’s not too much you can do at this moment. Various governments have taken it upon themselves to intervene here. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is the governing law that outlines a user’s right to their private information in the hands of commercial organizations. Most of the act focuses on end-user rights and organization responsibilities related to collection, use and disclosure such information. However it stops short of outlining any security practices that companies should take, which is unfortunate.

The next time you’re faced with a web form, take a moment to think through the consequences if this information were to somehow get out. Do some research into the company before hitting “submit.” Is it a service you trust? Will your reputation or safety be damaged by breaches in privacy? Doing a web search for “scam” or ” security” is usually good starting point. See if the organization has made an effort to outline what measures they take to safeguard your data. If they have, do you consider it enough? Do others?

Until better regulations or standards are adopted by the data-holders, the onus is on us, the end-users, to make an educated decision.