About 40 million swingers and sexual sophisticates have been whimpering in fear since hearing Sunday’s news that hackers broke into the servers of Avid Life Media, the parent company of online cheating site Ashley Madison.
The hackers stole large caches of personal data, Krebs on Security reported.
In addition to random customer account data, the hackers stole maps and the framework of Avid Life’s internal servers, employee account information, employee salary details, and Avid Life’s bank account data, according to Lifars.com. They published some of it on the Internet.
About 37 million of the victims were members of Ashley Madison.
Avid Life Reacts With Extreme Prejudice
As of mid-day Monday, Avid had secured its sites and closed the unauthorized access points, the company said in a statement provided to TechNewsWorld by spokesperson Andrew Ricci.
Avid is working with law enforcement and will hold “any and all parties responsible for this act of cyberterrorism,” the company said.
It invoked the Digital Millennium Copyright Act to remove the hacker’s posts relating to the hack and all personally identifiable user information published online.
Avid Life disputed the hackers’ claims that Ashley Madison had not deleted users’ records after charging them a US$19 fee, which the hackers cited as the reason for their attack.
“Contrary to current media reports and based on accusations posted online by a cybercriminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity,” Avid Life said.
The process “involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.”
In the wake of the hack, Avid Life now is offering its full-delete option free to all members.
Keeping Secrets Safe
“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world,” Avid Life maintained.
“Every possible step — except deeply encrypting customers’ personal data,” commented Secure Channels CEO Richard Blech.
Encrypting the data “would have left the hackers with no leverage,” he told TechNewsWorld, and “there is no excuse” for not having done so.
Look Homeward, Angel
Avid Life’s first response to the hack indicated it was unaware its systems had been breached. It became aware of an unauthorized attempt to access its systems and immediately launched an investigation.
The hacker may not have been an outsider.
“There are indicators that an insider, such as a technical contractor, may have been involved,” suggested Ken Westin, security analyst for Tripwire.
That would make it more difficult to spot an attack unless proper controls were in place, Westin told TechNewsWorld.
Faith No More
Given that news of computer breaches makes headlines almost daily, and given the sensitive nature of the data required to use the Avid Life sites, and considering the opprobrium that would result from being found out, how is it Ashley Madison could lure 37 million cheaters to sign up?
“The vast majority of consumers have a childlike belief in the best intentions of the corporations they do business with,” Pund-IT Principal Analyst Charles King told TechNewsWorld.
The core business of sites like Ashley Madison “is not in protecting anonymity and privacy,” because, like social media sites, their nature is to collect information from users, Westin pointed out.
“This breach shows that the marketing and actual implementation of security and privacy controls were not in line,” he continued.
It could be argued that Ashley Madison’s users were at least Internet-savvy, so how could they not have realized the danger in signing up for the site?
“Perhaps it’s the equivalent of public flashing,” King said — “the attraction of illicit behavior.”