Imagine that you’ve toyed with the idea of having an extra-marital fling, so you enter your picture and your personal and credit card information on a site that purports to enable you to do just that. What could possibly go wrong?
In the wake of another massive data breach on the Internet, this time with the Ashley Madison web site, a large percentage of the purported 39 million members are finding out.
Some people would say this is the karma these misguided individuals deserve. But tech-52 is not here to moralize or judge, however tempting that might be. What we’re interested in is exploring what happened and why.
As a cautionary tale, this one might be the dictionary definition.
Lay of the land
With each passing day, it seems, new web sites and web applications with serious utility emerge. There are ways to virtually try on, test, customize, and experience products online. Ways to research and learn. Ways to communicate. Ways to recreate and have fun. Ways to discover organizations and meet people who share your interests.
Increasingly, however, we are faced with evidence that entering the World Wide Web is akin to getting out of a New York taxi and waving a handful of $100 bills in the middle of Times Square.
For hackers, the Internet is ripe with targets. Aside from financial institutions, banks, brokerages, e-commerce, and payment sites, targets are increasingly becoming sociopolitical.
Why would Ashley Madison be targeted? We can only guess, but a look at their home page suggests a number of reasons.
I’m not here to judge, and I’m not a prude, but the blatant encouragement of what is largely considered immoral behavior among married people is ripe for a contrarian response.
Second, the site arguably begs for hackers to take the challenge.
For example, this: “Over 39,050,000 anonymous members!” And this: “100% Discreet Service.” And this: “Trusted Security Award.” Talk about throwing down the gauntlet. Hackers love a challenge.
So what really happened?
Just the muddled facts, please
On July 19, Krebs on Security, a noted security research site, reported that “large caches of data stolen” from the Ashley Madison site were posted online by an individual or group referring to themselves as The Impact Team.
The impetus for the breach apparently had to do with the fact that Ashley Madison was charging customers $20 to fully delete their profiles, and according to the Impact Team, this “was a complete lie.” The hackers claimed that users’ names and credit card information were retained despite the promise of full account deletion.
Unless Ashley Madison and another site, Established Men, were taken down, the hackers threatened to release the records, “including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”
Indeed, just this week, Ashley Madison user information was leaked onto the web and announced on Reddit. A searchable database of the leaked information was posted, and mainstream sites like the Washington Post and Fox News are telling readers how to search it.
In addition, stories are emerging with the names of political figures and celebrities said to be on the list. A lot of embarrassment and mea culpas will no doubt follow.
The bottom line
Whether you condemn Ashley Madison, its users, the hackers, or all of the above, the fact remains that the Internet is really not a place you want to casually share personally identifiable information.
Banking, financial, commercial, medical, governmental, and other institutions are increasingly moving their operations onto the Internet.
Unfortunately, at the same time, online security is a target moving at lightning speed, and only the most diligent of companies are taking it seriously, much less keeping up with it.
Aside from keeping a company’s network perimeter secure, another problem is that organizations who deal with customers and clients on the web don’t seem to appropriately manage the data that they collect.
We work in information technology, specifically for a corporation that sells enterprise storage and the software to run, maintain, and secure it.
The customers who purchase our storage products—banks and financial firms, insurance companies, e-commerce sites, social media companies, and so on—keep virtually all the data that they produce or acquire. And they keep buying more storage to accommodate all this data.
At some point, companies have way too much data to manage, so it just sits on storage systems in their data centers. When those data centers get hacked, oftentimes companies don’t know they’ve been hacked and what information has been accessed until it’s way too late.
Organizations seem not to have figured out a universally accepted protocol for storing and securing sensitive data, and purging the data when it is no longer needed.
And users continue to share their data on the World Wide Web, because its utility and simplicity are so seductive.
It’s alarming, and we haven’t seen the worst of it yet.