Adult infidelity Website Ashley Madison and its owner Avid Life Media (AVM) are reeling today from a catastrophic attack against its systems that has now exposed the information of 37 million account holders to public scrutiny.
The breach was first disclosed in July, with attackers threatening to disclose information on account holders in an attempt to embarrass them, which is now precisely what has happened.
It shouldn’t be that way. To be clear, the attack against Ashley Madison is not about morality or ethics or national security—it’s a criminal action. Attackers broke into the site and stole stuff; it’s that simple.
As such, anything that came from the breaking and entering of Ashley Madison, in my view, should be considered the proceeds of crime. Regardless of what jurisdiction you live in, there are always laws protecting victims from being further victimized and no one should profit from the proceeds of crime.
Yet, in the Ashley Madison attack, there is an online feeding frenzy as people attempt to download the leaked data and look for information. I have seen all manner of reports about what the data shows, the geographic distribution of Ashley Madison members and the like. None of that should be open to public ridicule, yet it is.
This is the second time this year that the proceeds of crime have been leaked online and then aggressively analyzed by the online community. The first time was likely the breached documents of Italian security vendor Hacking Team. In that incident, however, there was some good that came from going through the documents. Multiple zero-day issues in Microsoft and Adobe products were discovered and fixed by vendors. Those were likely security issues that were being exploited in the wild, and the Hacking Team breach brought the exploits to light, so they could be fixed.
No good can come from the public disclosure of millions of Ashley Madison account holders. Or can it?
When it comes to paying a ransom—which is essentially what the Ashley Madison attackers wanted—is it right to negotiate with kidnappers (or terrorists)? That’s a deep moral question that I’m not going to attempt to answer here. AVM decided not to negotiate, and the attackers made good on their threats.
AVM noted after the initial breach disclosure in July that it had retained the services of a security vendor to help protect the Ashley Madison site. Apparently, that was too little too late. Once the attacker had all the information, there simply was no way to get it back.
As already stated, AVM is the victim here, and a crime has occurred. That said, there are some lessons learned about things that should have been in place at AVM that could have prevented this breach in the first place.
While we don’t know how the attackers got into the AVM system, we do know that they did get data out.
For modern security, it’s not always possible to block all incoming attacks, but it is essential to monitor and secure data. To that end, the most obvious item that should have been in place is encryption; if the entire database had a robust encryption scheme, even if someone stole the data, it would be somewhat less useful.
Additionally, there should be some kind of monitoring technology in place that looks at data going out of the system. Such a monitoring system could have noticed that information on 30 million accounts was somehow being copied and exfiltrated.
AVM now stands as a prime example of a worst-case scenario of what can happen in the modern connected world when a motivated attacker wants to embarrass a company. Let’s hope that some good can come from this incident and other organizations will ask themselves what they need to do to make sure they don’t become victims and are doing everything possible to protect users and their data.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.