Last week, Avid Life Media, the company behind adult fantasy websites Ashley Madison, Cougar Life and Established Men admitted it was a victim of a successful cyber attack.
There are 37 million users of Ashley Madison and each member must now wait nervously to see if their most intimate and private information will be published for the masses, or if they will be given the opportunity to prevent that from happening at a cost.
Given the sensitivity of the data, this attack could be the most lucrative cyber heist ever, or set other more worrying precedents.
The repercussions of this story are profound in a world where, for instance, medical records and credit scores are connected to the internet by devices or where moving cars can be crashed remotely by hackers.
The extremely personal, financial and employment data relating to Ashley Madison users face the prospect of being held to ransom by a group called Impact Team. They have already leaked some details, and are threatening to release even more to the public. No doubt some would swap that with a car prang or a leaked asthma diagnosis.
It is difficult at this stage to identify how this attack occurred. We already know users often use low-quality passwords. However, such a comprehensive breach suggests 37 million individual passwords were not guessed one at a time; it’s more likely the breach was a systemic one.
In other breaches the root causes have ranged from disgruntled ex-employees to current employees whose access credentials were compromised by social engineering. Others are the result of automated, computerised attacks using advanced malware infection to break down cyber security barriers.
In this post-breach period, discussions within the Ashley Madison offices must be very heated. However, crises like these tend to be seen by many and only forgotten as and when the media decides it has written, taped and recorded enough material to call it ‘old news’. Clearly, Ashley Madison is going to be looking to find a way to limit reputational damage.
The breach at Ashley Madison will have a long tail because of the sheer scale and the sensitivity of the personal data taken from its members, and given the nature of the information, it could be exploited as early as tomorrow or in a year’s time. There are many options available that cyber attackers can use to exploit the information they harvest, and in this case, each one can potentially set new precedents.
The first possibility is if Impact Team follows through with its threat of publicly exposing user information with the intent of shaming them. This would make Ashley Madison among the first large-scale cyber-attacks motivated chiefly by morality, even if it turns out to also be partially motivated by a financial incentive.
Read more on cyber security:
- Joint venture forged to incubate small cyber firms securing Internet of Things and big data
- Nearly one in ten UK workers watch porn at work despite knowing it’s risky
- Government to unite 50 young British cyber security experts from 13 UK universities
Such attacks are worrying in that the adversaries are not as easily deterred by high costs in carrying out the attack, and individuals will forever more need to be concerned about their private lives being made public against their will.
However, most attacks against companies tend to have a financial motivation, and attackers focus on the activities that they feel will provide the greatest return for their invested efforts. Some believe Impact Team has released data and threatened to release more in order to increase the ransom or resale value of the data they still hold.
One scenario is that Impact Team – or whomever they sell to – will use the data to ransom Ashley Madison users, with the threat of disclosing the records publicly (or to loved ones) unless a specific amount is paid. With as many as 37 million potential victims and many who can be high-net worth individuals, this can make the Ashley Madison breach highly lucrative, potentially one of the richest cyber heists ever.
At the same time, lower net worth individuals can still be interesting for cyber attackers due to their professional access to corporate networks or high-value resources. Cyber attackers can hold such employees at ‘mousepoint’ by requesting access to a corporate database or otherwise facilitating a data breach in exchange for safe and private return of that employee’s sensitive data.
Attackers can also resell personal data records to other cyber attackers for a fee, which can then provide vital points of entry for larger targeted attacks on specific organisations. When the data is fresh and recently obtained it can be sold in the ‘grey market’ to the highest bidder because no one else has this set of information.
What we do know is there are some defensive moves which we can all take to reduce access to sensitive personal data From Blue Coat’s own research, UK employees are still unaware of best practices regarding the protection of personal and work information online. Today, 54 per cent of UK employees are connecting with strangers on social media and 18 per cent of UK employees have never had IT training.
Training is not the only solution to cyber threats but more guidance is clearly needed because cyber criminals are using social media and finding information about individuals which can break passwords. If successful, there is sufficient leverage for attackers to gain unrestricted access to corporate networks and take sensitive work information.
Most soberingly, while the consequences won’t be fully known until Impact Team acts, the Ashley Madison breach looks as though it will leave a lasting legacy. If Impact Team does choose to use the data for ransom, this will be one of the most lucrative – and embarrassing – data breaches in recent memory.
But if they carry through on their threat to publicly disclose the data, it could well mark the start of a new worrying trend towards major cyber attacks being motivated by morality or ideology instead of financial gain.
If cyber crime becomes a tool in campaigns to bring down corporations and government departments, or to make socio-political statements, the real message of Ashley Madison Cyber life is short but it has a long, insecure tail.
Robert Arandjelovic is director of security strategy EMEA at enterprise protection form Blue Coat.