Investigative reporter Brian Krebs recently broke the news that hackers calling themselves The Impact Team stole “large caches of data” on the 37 million users of the adultery website AshleyMadison.com, which boasts the tagline, “Life is short. Have an affair.”
Noel Biderman, CEO of Ashley Madison parent company Avid Life Media, told Krebs, “We’re not denying this happened. Like us or not, this is still a criminal act.”
The hackers leaked data including information on an apparently random selection of users, along with maps of company servers, employee account information, company bank account information and salary data.
The Impact Team claimed that the attack was launched to demonstrate that the site’s offer to remove all of a user’s personally identifiable information from the site in return for a $19 fee is a lie.
“Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” the hackers wrote.
The hackers threatened to release all customer records, including profiles, names, addresses and emails, if Avid Life Media didn’t take both Ashley Madison and parallel site Established Men offline. “And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people,” they wrote.
Biderman told Krebs that he believes he knows who was responsible for the attack, saying, “It was definitely a person here that was not an employee but certainly had touched our technical services.”
In a statement published on July 20, 2015, Avid Life said, “We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”
“At this time, we have been able to secure our sites, and close the unauthorized access points,” the company added. “We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”
A similar breach two months ago exposed the account details of 3,867,997 users of the adult dating site Adult FriendFinder.
Pat Clawson, CEO of Blancco Technology Group, told eSecurity Planet by email that the breach makes it clear why it’s so crucial for companies to understand the difference between deleting and destroying data. “The two are not the same and mistaking one for the other can put companies, their employees and their customers into serious trouble,” he said.
“As a rule of thumb, remember this: Deleting is recoverable and destroying is not recoverable,” Clawson added. ” It’s irresponsible for a company to not deliver on what they promise their customers, and hopefully this hack serves as motivation for companies to take a hard look at their IT security policies and processes to ensure their information, and their customers’, are 100 percent safe. Period.”
And Eric Chiu, president and co-founder of HyTrust, said dating sites by definition hold very personal information on their users. “This information can be used to not only steal additional information and ultimately the person’s identity, but also embarrass or hold individuals at ransom, especially given that many users would want to keep this information secret from colleagues or spouses,” he said.
“In addition, similar to Snowden and Sony, this is a great example of how organizations can now be held hostage and permanently damaged by the own data that they collect and how important it is to secure sensitive data from insider threats,” Chiu added.
A recent eSecurity Planet article offered several tips for improving database security.