expert-comment
Data Privacy and Security

Ashley Madison data breach: Security industry responds

Today, Impact Team, the group that hacked AshleyMadison.com followed through with their threats to publicise the data stolen from the site, posting it on the dark web. Bad news for users of the site, which caters to those looking for “married dating, discreet encounters and extramarital affairs”. But what does it mean for tech? As the latest in a long line of hacks, just how worried should we be?

We asked around to find out what top cybersecurity professionals think. Feel free to add your own opinion below in the comments section.

 

quotation-marksDavid Emm, Principal Security Researcher at Kaspersky Lab and Marta Janus, Security Researcher at Kaspersky Lab

“Following the news that Ashley Madison has been hacked in a bid to enforce closure of the site – it has today been claimed that hacking group ‘Impact Team’ has delivered on its promise of revealing email addresses, usernames, passwords and credit card transactions. The impact such exposure can have, is not only detrimental to the security of an individual’s personal details, but can also have serious financial implications. Users that are entrusting private information into the care of a website should be safe in the knowledge it is kept in a secure manner and all companies who handle private data have a duty to ensure it.

Any security breach resulting in a leakage of private data is equally bad – no matter if the website is considered “unethical” or even illegal - as the affected users might not necessarily be guilty of any illegal/unethical activity. In the case of the Ashley Madison hack, the leaked data contains information such as real names, addresses and credit card details. Now it's public, cyber-criminals have the opportunity to use this information to steal money or personal identities.

Although the motive of hacking this website appears to be for ethical purposes, the hackers have made it clear that not all profiles are real – and could in fact be a scam. This is already a very real danger associated with online dating websites. The actions of the hacking group here highlight just how vital it is for all companies with an online presence to understand that they could at any point be targeted, directly or indirectly, by cybercriminals, and whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures to be taken in order to provide thorough protection. These measures include running fully updated software, performing regular security audits on the website code and penetration testing the infrastructure.

There are a few steps consumers can take to protect against such attacks in the future. People should always read any terms of use and privacy policies very carefully before sharing confidential data with websites, especially when credit card details are required. Unfortunately, once a breach of this nature has been made, there is not much that can be done. In this case, users can change usernames and passwords and potentially notify the bank to apply for a new credit card - just to be on the safe side. Ultimately, the damage related to users’ privacy being compromised is not something that can be easily fixed.

The best way for organisations to combat these types of cyber-attacks is at the beginning; by having an effective cybersecurity strategy in place before the company becomes a target.”

 

quotation-marks  Corey Nachreiner, CTO, WatchGuard:

“What is alarming about this data breach is the sheer scale of the compromise, which included the company’s entire infrastructure. The danger here would be to condone this kind of Robin Hood vigilante behaviour because of the ethical code of the site’s users. The reality is, information stolen could lead to any number of hackers extorting money and blackmailing users for the rest of their lives.

Ashley Madison claimed to have stepped up their network security following the initial attack. But this ignores the fact hackers have had access to an enormous amount of data for some considerable time, which is another red flag for companies who store valuable data. Businesses should assume they have already been compromised when putting security in place since you can never have perfect defence. Organisations must implement discovery-and-response tools so that they can immediately see and handle the incidents that get past their gates.

It is a reminder that cyber criminals may be hacktivists with social agendas who want to disrupt day-to-day business or organised criminal groups going after your customers’ financial or personal data – or in this case, both. At the route of these exploits, I am reminded of the advice I regularly give to kids. At a very basic level, do not put anything online you wouldn’t be happy to see on the front page of the news on your grandmother’s coffee table. The internet is forever, no matter who you trust with your data.”

 

quotation-marks  Patrick Peterson, CEO of Agari:

“It will now be critical for Ashley Madison to continue being open and honest with its customers and the public. Either they can control the narrative, or the criminals can control the narrative.

In today’s connected age, where data breaches are inevitable, every minute matters. As part of response plans, it’s imperative that businesses are prepared to be upfront and transparent right away. Something that is especially important for a brand like Ashley Madison, whose entire business model was built on the premise of guaranteeing users anonymity.

It’s also important to remember that the one-two punch of a data breach means that further damage could still come. Every publicised data breach becomes another chance for cyber criminals to target victims with spam or phishing efforts in an attempt to steal personal information.

This means crisp, clear messaging with the appropriate balance of confidence and contrition is imperative. For Ashley Madison it also means choosing a secure channel of communication, such as email, to communicate with customers and introducing security controls that monitor for any authorised communications referencing the brand that put customers at further risk.”

 

quotation-marks Luke Brown, Vice President & GM, Europe Middle East Africa India & Latam at Digital Guardian

“If ALM were trying to call The Impact Team’s bluff then it seems to have backfired pretty spectacularly. While the data has only been released on the dark web for now, it will inevitably find its way into more mainstream channels over time, resulting in very public naming and shaming for Ashley Madison’s members. Perhaps even more embarrassing for ALM and Ashley Madison is the disclosure of the fact that a significant proportion of users on the site are fake, bringing into question the credibility of the website as a whole. 

For sites like Ashley Madison, data is its lifeblood, so why was it not better protected at the source? It’s not just Ashley Madison that’s guilty of this though. Recent reports from Gartner and Forrester show that between 2010-2014, an average of 41% of security investment went on network (perimeter) security and only 1% on actual data protection. In this same time period the number of major global data breaches has nearly tripled. Had a more data aware security model been in place, ALM could have prevented much of this data from ever being taken, either by hackers breaching perimeter defences, or someone on the inside trying to remove it. As it stands, it looks like it’ll be quite a while until this sorry affair reaches its conclusion.”

 

quotation-marks  Matt Newing, CEO at Elitetele.com:

“Consumer trust in a business has never been so critical. Today’s reports of hackers publishing the details of 37 million Ashley Madison users has left patrons exposed and the businesses reputation in tatters. The reports that 9.7 gigabytes of data has been posted, including members’ account and credit card details, demonstrates the need for customers to feel confident that their financial and sensitive details are safe when parting with them. The bottom line is, if the public does not trust your brand, they aren’t going to give you their custom.

In fact, recent research by Elitetele.com found four in five consumers aren’t confident that their financial information is secure when dealing with big brands. In addition to this, a third (33%) don’t believe their data is safer today than it was five years ago.

Businesses need to ensure they have the correct technologies in place to protect consumer data so it can proactively communicate its security to its customers, earn their trust and therefore safeguard the growth of the business. One initial, simple step a business can take is to ensure they are PCI compliant.”

 

quotation-marks  Michael Sutton, Chief Security Information Officer at Zscaler:

“Whether conducting transactions online or at a brick-and-mortar stores, consumers have little choice but to rely on retailers to properly secure their information… There are no bulletproof countermeasures for consumers when it comes to protecting financial data or Personally Identifiable Information (PII). Consumers should assume that breaches will occur and take steps to limit exposure. This can be best achieved by restricting purchases to reputable vendors, sharing only necessary information, avoiding insecure networks and regularly checking banking records and credit histories to identify potentially fraudulent transactions.”

 

quotation-marks  Robert Arandjelovic, Director of Security Strategy EMEA at Blue Coat

“Today’s news that 9.7 gigabytes of Ashley Madison customer data has been stolen from the dating site and released on the dark web, relates to millions of payment transactions, including names, street addresses and email addresses. This freely available information can arm cyber attackers with the weapons to cause even more damage to Ashley Madison users at work or at home. The release of this data is likely to only be the start of more to come as it is used by various threat actors on the dark web.

Now that more than 9 gigabytes of data has been released, Impact Team may begin to look at the financial value of a target to see if they will profit from the time spent building malware for the attack. This data is most likely to be amongst some of the most valuable data set compromised so far. If it is worth $100 to ‘go away’ and there are 37 million users, this could be one of the largest heists in history.

Last month we predicted that the Ashley Madison breach will have a long tail and we believe there is certainly more to come.”

PREVIOUS ARTICLE

« CMO Files: Nick Peart, Marketing Director, Zendesk

NEXT ARTICLE

The man who helps us understand China… and vice versa »
Kate Hoy

Kate Hoy is Editor of IDG Connect

  • twt
  • twt
  • Mail

Recommended for You

International Women's Day: We've come a long way, but there's still an awfully long way to go

Charlotte Trueman takes a diverse look at today’s tech landscape.

Trump's trade war and the FANG bubble: Good news for Latin America?

Lewis Page gets down to business across global tech

20 Red-Hot, Pre-IPO companies to watch in 2019 B2B tech - Part 1

Martin Veitch's inside track on today’s tech trends

Poll

Do you think your smartphone is making you a workaholic?