Extramarital affair matchmaking site Ashley Madison was breached yesterday, and the details surrounding the case should make excellent fodder for a future episode of CSI: Cyber. The motivations of this attack, purportedly conducted by a group calling itself The Impact Team, appears to be rooted in moral outrage—but not the kind you might think. Their grudge has little to do with protecting the sanctity of marriage. Instead, the hackers seemed to focus their ire on a privacy upsell feature that they considered disingenuous.
Ashley Madison had been touting an add-on service that enabled its members to completely erase their profile information for a one-time $19 fee. As it turns out, they were still hanging onto sensitive data from former community members who had already exercised this nuclear option. The Impact Team’s chilling message to Ashley Madison is simple: Kill yourself or we’ll do it for you by outing every single one of your members.
“Leading up to this breach, Ashley Madison prided itself on airtight data security—a claim that seemed to have in part provoked the attackers who are now threatening to release users’ personal information.
As of now there are indications that the breach may have occurred due to a third-party contractor with access to Ashley Madison’s systems. This is an organization whose entire business model depends on trust, anonymity and discretion. They cannot afford to have anything less than the most state-of-the-art insider threat detection capabilities to prevent this kind of data leakage from privileged insiders.”
Mohan Koo, CEO and co-founder, Dtex Systems
Whether or not the site’s user base deserves our collective sympathy is irrelevant—this has chilling implications for every business. Having long touted its airtight security and identity protection measures, Ashley Madison still fell prey to someone who allegedly once had legitimate access to their systems. If the hack does indeed turn out to be the responsibility of someone abusing insider access, it serves as an uncomfortable reminder that even companies that consider themselves to have impenetrable security can overlook critical internal threats. No one is immune to these kinds of attacks. Such discretion-as-a-service providers make for big targets in the hacker world, and the message here is clear: Brag about your security at your own risk. If you’re going to talk the talk, you need to walk the walk.