Ashley Madison compromise stories are everywhere. There have been articles on the hack itself, and analyses of data stolen and published by hackers. Noel Biderman, Chief Executive Officer of parent company Avid Life Media Inc. (ALM), stepped down late last week. So what can other businesses learn from the Ashley Madison breach?
At the risk of stating the obvious, the Ashley Madison hack is receiving a lot of attention due to the nature of the business. The majority of large data compromises during the past few years have been payment card related. While it is certainly undesirable to have financial information compromised, it’s not nearly as scandalous as a massive data breach involving a business with the motto, “Life is short. Have an affair.”
ALM was clearly the target of this attack. To date there have been no reports of payment card fraud, and credit card numbers were not included in the data dump released by the hackers. The criminals responsible could have attempted to extort money from ALM, but instead they demanded that the site be shut down or all data would be released. When it wasn’t shut down, they followed through on their threat. The perpetrators could have easily profited by directly contacting members of the site. Even if one tenth of one per cent of the site’s reported thirty million users paid a $50 extortion, the hackers would have netted $1.5 million. But they didn’t.
There are three likely attackers: A former employee with a score to settle, an unhappy customer, or a competitor. The Ashley Madison hackers complained that the company charged customers $20 to delete their profile, but the deletion was allegedly incomplete. According to Ars Technica, the site may have been, “raking in somewhere between $152,000 and $342,000 each month, just from the Full Delete option alone.” The very fact this issue was raised suggests that the hackers had intimate knowledge of the service.
Based upon released data, the attack on Ashley Madison went far beyond a database compromise, and included credit card transaction information going back to 2008. Data included the name and address associated with each transaction, but only the last few digits of the credit card number. The database dumps suggest that the site stored all information in a few MySQL databases with hashed passwords, but no other encryption. The dumps also suggest that the hackers compromised the SQL database server at the operating system level, as well as other corporate systems.
Businesses that hold sensitive personal information can learn three important lessons from Ashley Madison:
First, a major security breach can be fatal. Ashley Madison is pursuing a “business as usual” approach, but is unlikely to succeed due to loss of customer confidence. One might not expect Ashley Madison customers to identify themselves and take legal action, but class action suits have already commenced. Should this happen to an organization that holds personal information with less of a social stigma associated, such as medical records, litigation may be even more damaging.
Second, databases do not provide sufficient security controls for personal information. If an application with read access to the database is compromised, credentials may be stolen. If the intruder is able to log on to the operating system of the database itself, taking a database dump is trivial. Encryption using keys not stored on the database server should be considered mandatory.
Third, processing sensitive personal information requires stronger system and network-level security architectures. Controls such as two-factor authentication are required to protect critical assets such as databases. In most organizations, attacking a system administrator’s workstation with targeted malware will reveal passwords and ssh keys required to seize control of the organization’s Windows and Linux systems.
Many companies don’t implement controls such encryption and two-factor authentication because of the cost, but, as the Ashley Madison hack demonstrates, those dealing with sensitive information can’t afford not to. Life is short. Secure your data.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org