What was lost?Personal data that was lost includes, names, postal addresses, credit card numbers and sexual fantasies. Made worse is the organisation charged a $19 fee to carry out a "full delete" on user accounts, which appears to have not been the case.
Who did it?The hackers taking responsibility are the Impact Team, where the database was comprehensively stolen. In a recent article from The Guardian, it states that it was an insider threat, where the compromise was carried out by someone who had access to the systems, but was not an employee, highlighting the need for control on third party access.
Morality?I've read a few comments that said that people should not be using these sorts of sites. A crime has been committed in the database being stolen, but we are judging the victim for the crime. Who is to blame if your house is broken into? The criminal or the victim?
AdviceBe aware that there is no safe place on the internet. The internet is effectively a public place, where a majority of people will have access. You are entrusting a third party to look after your data, so in this case, a secure and unique password would not have helped the users.
The fault here lies with Ashley Madison. Some security technologies would have prevented this from happening:
- A Privileged Account Security solution would have prevented the third party from recycling their access to the system, and with some solutions recorded the sessions of compromise.
- A database encryption solution would have prevented the data from being used.
- A Data Leak Prevention (DLP) solution would have prevented the data from exfiltrating the organisation.
- A Security Analytics solution would have seen and prevented this.
I have mentioned the Cyber Kill Chain in the past, and these solutions would have stopped the compromise, and the data leaving the organisation.
For me, this is not a case about morality, but we allow that to cloud our thoughts and allow a criminal act to be downplayed because of it. This is a crime, but worse a crime that could have been prevented. The right solutions configured correctly, supported by polices and procedures would have prevented this hack from happening.