Ashley Madison: A Tale of Sex, Lies, and Data Breaches

Data breaches rarely make for sensational news. Media outlets may report about them but public interest often dies down after a week or two.

Or that was the case until the Ashley Madison breach happened. The recent leak of the Ashley Madison accounts is the culmination of a month-long digital stand-off between the site that blatantly encourages people to have affairs and a hacktivist group called the Impact Team.

Last July, Ashley Madison reported that they became victims of a data breach. The Impact Team took credit, demanding that the site and another related site be taken offline permanently. The hackers then proceeded to leak snippets of account information as well as company information, including internal company servers.

The group made good with their threat as the accounts soon found their way into the Deep Web. The leaked information had several revelations. For example, 15,000 accounts had either a .mil or .gov email address. Combing through the addresses, other media outlets have found that work emails were frequently used in accounts.

(Funnily enough, the leak presented proof that the site practiced some security measures not found in other sites. For example, the passwords were stored using some form of encryption and not just in plaintext.)

Some have pointed out that users shouldn’t have expected their information to be kept safe, considering the very nature of the website. But removing the moral implications of the site, Ashley Madison assured customers that their information would be kept private and even offered a paid service to delete user data permanently—which it failed to do on both counts.

Addressing Data Breaches

This leak proves that many organizations are not ready to deal with a data breach: either by preventing one in the first place or managing one after it’s occurred. This is very problematic given the real-world implications of data breaches.

“Reputational risk is real if you do not actually invest in next-generation cybersecurity. The hackers of the world will bypass the traditional security defenses that are advocated by major standards organizations like the Payment Card Industry Security Standards Council (PCI SSC),” says Tom Kellermann, chief cybersecurity officer for Trend Micro in an interview.

This is so much so in the case of Ashley Madison or many other sites working on the premise of keeping its users actions discreet and private.

In an ideal scenario, security measures against data breaches should be put in place even before such incidents occur. For example, organizations should assess the type of data that they ask from users. Do they really need certain specifics beyond contact and financial information? Even non-essential nuggets of information can be seen as sensitive—especially when used as building blocks to complete a victim’s profile.

Encrypting sensitive information and restricting access to it goes a long way in mitigating possible intrusions, especially from internal hackers. Some have speculated that the Ashley Madison breach was an inside job; if that were the case, stricter access control could have made it harder to get the data.

When it comes to data breaches, it is no longer an issue of “if” but “when.” So even with these preventive measures in place, organizations should assume that there is an intruder in the network. With that thought, continuous monitoring of systems should be implemented to look for suspicious activity.

With all these in mind, organizations need to deploy a concrete multi-layered defense system as a proactive step against data breaches, as follows:

Regularly test the web sites and applications for critical security risks found in the Open Web Application Security Project (OWASP) top ten vulnerabilities list.

Deploy web application firewalls (WAF) to establish rules that block exploits especially when patches or fixes are still underway.

Deploy data loss prevention (DLP) solutions to identify, track, and secure corporate data and minimize liability.

Deploy a trusted breach detection system (BDS) that does not only catch a broad spectrum of Web-, email- and file-based threats, but also detects targeted attacks and advanced threats.

But what should orgs do after a data breach happens? Firstly, they should confirm if a breach did occur. Victims should learn of the breach from the affected organization, never from the media. Orgs need to state all that they know about the incident, such as the time the incident occurred.