Data terrorism – a deadly match

The impact of the Ashley Madison mass cyber leak is reported to have claimed its first suicide victims in the last few days following the first divorce proceeding announcements from suspicious partners across the globe.

There has now been an accusation from an aggrieved former staffer at Ashley Madison that innocent victims formed part of the mass data volume.  The employee, who had sought compensation in a grievance case against the dating agency, claimed that she had been recruited to make up spurious accounts to boost membership numbers and attract matches, along with an insidious claim that innocent people had been caught up in 3rd party data lists looped in and caught up in the resulting data dump.

Avid Life Media in desperate attempts to try and position itself as the victim, has offered a £240,000 reward for information leading to the hackers of its IT systems. If the number of class action lawsuits (five at the latest count – 4 US and 1 Canadian) are anything to go by, Avid Life might be trying to raise the sum, not offer it in future, as more than $500 billion is already being claimed in damages, according to NBC News.  On top of this, claims have emerged from security blogger Brian Krebs that leaked emails show that CEO Noel Biderman hacked into a competitors database, Nerve.com in 2012 to download and play with their customers’ accounts to make non-paying customers pay and create mythical messages between parties.

Beyond Avid Life’s own low morale stance, an unsurprising but sad repercussion has been the news that cyber criminals are now reaching out to victims, claiming to have access to the stolen data and are targeting them with directions to click on spurious links that then open them to further malware threats. This is in addition to direct blackmail threats to a number of parties threatening to expose their identities from the publicly held information and share it with spouses, employers and their communities.

In a more positive regulatory twist this week, following a US appeal court ruling, the Federal Trade Commission has given the greenlight for a lawsuit against US hotel operator, Wyndham Worldwide, who suffered three breaches in 2008 and 2009. This resulted in frauds totalling more than $10.6 million against its 619,000 customers whose personal details and credit card information was stolen.  The FTC’s legal argument being that the hotel group failed to properly safeguard consumers’ data. This augurs badly for Avid Life Media if the wind changes in the direction of corporate responsibility as expected now.

For privacy protection firm Privitar commenting on the Wyndham Worldwide ruling, safeguarding data should be a key priority of organisations.  Their CEO Jason du Preez commented: “This decision is further support for the notion that companies need to take the way they manage and process sensitive data more seriously.”  Whilst opportunities from big data analytics are genuine, there are real legal and ethical implications which need to be properly comprehended and interpreted. For du Preez, “…ensuring that only essential data is visible in any given process, organisations can extract essential value from data while complying with the strictest standards for data protection as it separates data utility from data identity”, he said.

A cyber hacker is a terrorist and like any terrorist, has no care about how many victims they hurt, or how badly.  It is therefore up to every organisation to take all reasonable steps to safeguard the data they hold on behalf of 3rd parties.  There is no other option in today’s society – unless you want to throw away your business and see it going under through the courts.

AshleyMadison

No anonymity when you screw around online – notes from the Ashley Madison fallout

Adulterous subscribers and suspicious partners worldwide waited with baited breath for the fallout after data hackers the “Impact Team’ mass dumped the personal data records of 32 million users from the Ashley Madison database on 15th July 2015.  “It’s full account information,” said Robert Graham, CEO of Errata Security, in a blog post. “That includes full names, emails, phone numbers, addresses and passwords”.  Additionally credit card information and dating information about height, weight, personal information and GPS co-ordinates are included.  Whatever fake accounts some people may have created, there’s so much information leaked that dissecting it and cross referencing it will enable the identities to be verified.

With a further 14 Gigabytes of data with matching encryptions keys dumped yesterday, it is little surprise that the first divorce proceedings about suspected infidelities have started to be listed in the English law courts.  Inevitably the primary beneficiaries of all of this will be the divorce lawyers.  As one quipped today, “September will be like Christmas this year”.  Nice.

The list of global offenders some of whom may have signed up with false names or email addresses is reported to include: business leaders, public figures, government employees, senior politicians, members of the military, police officers and diplomats.  In the US, more than 15,000 of the email addresses are allegedly hosted on US government or military servers using the “.gov” and “.mil” top-level domains, with ties to agencies including the State Department, Department of Homeland Security, as well as the House and Senate.  There is real risk for damaged reputations and of course the prospect of future blackmail threats awaiting some – but for those naughty enough to use the website, it may be years before they are targeted by criminals.

A trigger for the hackers was apparently the flaws in their data protection policy, with leavers being charged a £12 fee to have their details removed permanently.  However, this was not the case, despite assurances from CEO Neil Biderman, as after initial threats from the Impact Team, there were multiple reports of people who had paid this charge whose details still appeared in the exposed data.

Ashley Madison factoids:
• The online dating agency for married people has been running since 2001.
• Subscribers number 37 million members worldwide across 46 countries.
• The organisation states that there are 1.2 million subscribers in the UK alone (representing 2% of the population).
• Ashley Madison’s revenue for 2014 was reported at £77m.
• They are stated to be worth £670 million.

The source code of Ashley Madison is held by its parent company Avid Life, which now faces threat through its other websites and business interests.  The Sword of Damocles now hangs over smug CEO Noel Biderman’s business.  It is highly unlikely it can survive a) the hit to its reputation as a safe place to flirt and b) the cost of lawsuits which are expected to hit its doormat in coming months?

From a legal perspective a breach of privacy may have occurred if personal information has been discovered and published, which could open Ashley Madison to lawsuits.   Mark Watts Head of Data Protection at London law firm Bristows, noted that if a company had a presence in the UK (eg. office or a server) it would be subject to the UK’s Data Protection Act and UK residents would have the right to have their data deleted for free. “You cannot charge for it”, he said.  Our quick check at Companies House shows one Ashley Madison Limited, private limited company, still reportedly active in status terms today, whose nature of business is “other information technology service activities”. They have a registered office in Milton Keynes.

As Luke Scanlon, technology lawyer at Pinsent Masons commented:  “The interesting thing about this incident is that recent court decisions in the UK have been leaning towards the view that a claim can be brought when no financial loss occurs but where a person experiences distress as a result of a data breach.

“In the case of Ashley Madison… if each were to try to claim for £1000 in compensation Ashley Madison could see itself incurring costs of up to £1.2 billion. Even if claims for distress in this case are modest, the sheer volume of data breached and individuals affected in this attack could have a critical impact on the company”.  A remedy for breach of contract he advises would be complicated, costly, and risk further exposure.  However, this sounds like a Class Act to us.

Unreasonable behaviour certainly from Ashley Madison, a salutary reminder to businesses and organisations that never has it been more important to ensure that they have up to date data security measures in place, accompanied by robust governance policies to ensure best possible defence against cyber threats.
AshleyMadison