No doubt the revelation of a data breach at the online dating site, Ashley Madison has 37 million people looking over their shoulder about now.
Unlike some dating sites where singles are put in touch with each other, Ashley Madison exists to facilitate affairs between people who are already attached to someone else. The site’s motto, “Life is short. Have an affair,” explains it all.
While the Ashley Madison breach is hardly the first dating site to be breached, it has significant potential to cause damage that goes far beyond some stolen credit card numbers, although that risk exists.
The people who did the hacking, a shadowy bunch called the Impact Team, are threatening to expose all of the information they stole from the site, including names and contact information, but also including credit card numbers, compromising photos, and detailed preferences that most people would prefer not to be made public.
At least some of this information has been posted publicly, according to security researcher and blogger Brian Krebs, who first reported the breach. Unlike most breaches where the goal is money, the Impact Team is demanding that Ashley Madison shut down the site and other similar companion sites.
ALM reported the breach on its website, and has since updated its statements to say that it has used the provisions of the Digital Millennium Copyright Act to remove the posts related to the incident and to remove the information that was posted online.
Considering that both ALM and the Ashley Madison site are located in Toronto, Ontario, it’s unclear how the company was using a U.S. law in Canada. The company has not responded to questions from eWEEK regarding this point.
However, the company did respond to an email about the incident saying that reports about the material that was breached were incorrect. According to spokesman Andrew Ricci, who responded to eWEEK by email, assertions that ALM did not actually remove user data from their servers even when they were paid to do so were wrong. In addition, ALM is offering the full deletion option to its customers for free. The service, which the spokesman referred to as a hard delete, was previously a paid service.
However, the spokesman was unable to confirm whether ALM was offering any sort of credit monitoring, despite the exposure of credit card numbers and other personally identifiable information.
Ashley Madison Dating Site Members Face Multiple Security Threats
According to Krebs and others, the breach may have been the result of a leak by a former employee or by a disgruntled employee who provided the access data to The Impact Team or who was part of the hacking team.
As unfortunate as the Ashley Madison breach might be for the people who had signed up for the service, the potential danger goes far beyond their potential credit card numbers or personal embarrassment.
While the initial public exposure of the data was limited and apparently brief, it was not a secret. Worse, if the information is ultimately made available in public, it will become a treasure trove for cyber-criminals.
But the real risk goes even beyond that. Consider that 37 million people is about one fifth of the U.S. adult population between 25 and 65, an age group that represents the bulk of the Ashley Madison population.
The potential overlap between this huge group of people and the personal information contained in other breaches, notably the breach of the U.S. Office of Personnel Management databases that took place earlier this year is unclear. But the fact is that there will be some people who appear on both lists.
While the overlap may not be large, if only because people in the OPM breach with high security clearances are less likely to be ALM customers because of the nature of their background checks, statistically the likelihood is that there will be overlap.
Now, imagine that you’re the state-sponsored hacking group that ended up with the data from OPM. What better way to come up with a short list of people that you will try to blackmail?
It won’t be a total success because there will be some who have resolved their need to have affairs by becoming single. But there will also be those who will do anything to prevent their spouses from finding out that they were on the list, never mind the preferences and photos.
And therein lies the lurking security problem of websites where someone else controls your data. It’s bad enough when the bank or your favorite department store loses your credit card numbers. But the security problem created by data that’s very personal getting out is orders of magnitude worse.
Worse, there’s no good way to resolve a problem like this, short of avoiding this kind of dating site. Perhaps the best way to approach this sort of problem is to only share personal information that you don’t mind if it’s released in the public domain.