What can we learn from the Ashley Madison Information breach?
Last month, hackers known as the Impact Team breached the servers belonging to the Ashleymadison.com. A website that proclaims itself as the top form for cheating spouses who want partners for infidelity. The hackers, according to a document released at the time took issue with the site assisting cheaters. They also took issue with what they consider to be fraudulent business practices. For a $19 fee the Ashley Madison site offered a service whereby the website promised to delete all of a customer’s account and account activity. But the hackers said that the site lied and although the data may have been deleted from the public facing part of the site, the company retained the data on its back end servers. The hackers made a single demand after the breach occurred, they demanded that Avid Life Media, the Canada based parent company of Ashley Madison take down the Ashley Madison site as well as another site the company operates called Established Men. The hackers deemed the activity of the Established Men site as prostitution and if Avid Life media failed to take down the two sites the hackers warned they would release customer data, and that’s exactly what happened. The hackers released 9.7 gigabytes to the dark web using an Onion address accessible only through the Tor browser. The data released by the hackers includes names, passwords, addresses and phone numbers submitted by users of the site, though it’s unclear how many members provided legitimate details to open accounts.
With the released data the hackers, also released a statement. In the statement they made it clear that it was Avid Life Media who had let their customers down and lied to them and that if they wanted to prosecute and claim damages it should be from them.
It’s clear that the Impact team had no real interest in the data they hacked from the Ashley Madison website. This attack was carried out as an act of justice. It was directed towards the questionable morals Avid Life Media ignored and promoted. The hackers also had an issue with what they considered Avid Life Media’s fraudulent business practices.
This incident isn’t like your regular information security breach. This was a direct attack from a group of people who strongly disapproved of the business practices of Avid Life Media, and who clearly worked on a case to bring the company down.
This major breach provokes some key security awareness thoughts,
- Can we really trust websites that request and store our confidential information on their servers? How can we be assured that our information is safe from being exposed to the public eye?
- For a business with a website that hosts accounts of thousands of customers, are you completely protecting your customer’s data? Do you have the correct security controls in place to prevent such a major server breach from occurring that could potentially collapse your business? Have you thought about groups of people who would have strong arguments and reason to damage your business long term? How are you protecting your business from these potential attacks?
These are questions we all need to ask ourselves from both a customer and a business owner’s perspective. The key benefit of running an ISO 27001 Information Security Management System for your business is that it requires you to number one identify and record your key company assets and number two to identify and control any possible internal and external threats to those valuable assets. For Ashley Madison, a valuable asset for them would have been their customer data, and in this case they have failed to control the risks of exposing this data to the public.
Furthermore, the Ashley Madison affair should prompt people to consider a company’s security when trusting them with sensitive or personal information. Although there will always be an element of risk, a key indicator of strong security within a company is ISO 27001 certification, the international best practice standard for information security management systems.