The AshleyMadison.com Breach: A Teachable Moment for Data SecuritySeptember 21st, 2015
Many people followed the news about the AshleyMadison.com data breach with a mix of prurient interest, schadenfreude, and—for some—fear of personal exposure. Here at DiscoverReady, we followed the news to understand the data security failures that allowed a breach of this severity, and the lessons that could be learned and shared with our clients.
To recap: AshleyMadison.com, which touts itself as the premier website for married people seeking partners for affairs, suffered a headline-grabbing data breach earlier this year. Hackers stole account information and payment transaction details for more than 35 million members of the site. When the corporate owner of AshleyMadison.com refused to accede to the hackers’ demand to shut down the site, the hackers posted the stolen data online to the dark web. The data included users’ names, mailing addresses, email addresses, phone numbers, passwords, and partial credit card numbers. The data dump also contained users’ profiles, which included descriptions of what they were seeking in an affair partner (“I’m looking for someone who isn’t happy at home or just bored and looking for some excitement,” wrote one member).
Here are some of our observations on the data security implications of this breach:
Each organization should conduct an individualized assessment of what constitutes its most sensitive data.
Beauty is in the eye of the beholder. And so is the sensitivity of data—at least in terms of which data are worthy of security measures more rigorous than the minimum required. (Those minimum requirements might be set by statute or regulation, by contract, or by established industry standard.) At AshleyMadison.com, the company apparently considered passwords and credit card numbers sensitive enough to warrant additional protection. Passwords were encrypted (although not effectively; more on that below). And credit card numbers were truncated, so the database stored only the last four digits. But remarkably—given the website’s purpose—the company did not believe that its users’ names and contact information merited such additional protection. Nor did it take any extra steps to safeguard the highly personal, soul-baring content of its members’ profiles.
Every organization possesses sensitive data of some kind. But what’s highly sensitive to one company might be ho-hum to another. Would volunteers registered with Habitat for Humanity be outraged if the charity’s IT systems were breached, and their names, along with information about the types of home-building projects they prefer to work on, were released to the public? Of course there would be cause for concern over the fact of a breach, but I doubt any of those volunteers would lose sleep because they were associated publicly with a respected charitable organization. But in that same hypothetical, what if the breach revealed the names and financial status of low-income families helped by the charity? Those families certainly would expect the organization to secure that information more zealously.
Every organization should conduct its own individualized risk assessment to identify its most sensitive data, and create a triage-based system for protecting information. A company can’t take every conceivable measure to protect every piece of data—principles of proportionality come into play, and risk mitigation must be balanced with cost and efficiency of business processes.
Organizations can no longer rely on traditional IT security measures—they should turn to protect-in-place strategies.
You’ve probably heard it said already: It’s not a matter of IF a company experiences a data breach, it’s a matter of WHEN. Traditional data security measures, which rely on physical infrastructure and process controls to prevent breaches, are not enough anymore. Because those measures leave organizations vulnerable to attack, other types of protection should be incorporated into a robust data security program. One such solution is a “protect-in-place” strategy, also referred to as a “data-centric” approach. Using this approach, data are masked or encrypted or tokenized, so that even if hackers gain access, the information is unreadable and therefore useless.
AshleyMadison.com tried to employ a protect-in-place strategy for its password data using data hashes. The passwords were masked using the ”bcrypt” hashing system, implemented with a cost factor of 12, which would have been a highly-secure, virtually unbreakable authentication check method. However, a subset of the passwords and logins were processed using the far less secure MD5 hash method before being passed through the bcrypt hash method. Once the stolen data were released to the web, data security experts (and some hobbyists) set out to break the password encryption. It didn’t take long for them to crack the MD5-hashed process, and once that happened, the decrypted passwords essentially provided a “key” to unlock the bcrypt encryption. The end result? Most of those encrypted passwords have now been decrypted.
So even a protect-in-place strategy isn’t enough if it’s not deployed correctly. A recent blog post at Ars Technica about the password decryption aptly observed, “a single misstep can undermine an otherwise flawless execution.” Companies need true experts to help design and implement data security measures, and those measures should be revisited frequently to ensure they remain state-of-the-art. And as noted above, the efficacy of these protections must be weighed against their business cost. Not only can these tools be expensive, but they also impact business operations by slowing down the flow of data and the speed of transactions, and restricting access to information. Companies face tough choices about which data are sensitive enough to merit additional protection, and which are not.
If you make data security promises, keep them.
AshleyMadison.com faced criticism for more than just the fact of the breach. The company made promises to its users and the broader internet community that apparently it failed to honor, resulting in a blow to its reputation—and a flurry of lawsuits.
First, there was the hubris. According to Robert Scoble, a technology evangelist currently working as the Futurist at Rackspace, a representative of AshleyMadison.com reached out to him looking to set up an interview with its President and CEO Noel Biderman (who later stepped down in the wake of the hack). The purpose of the interview? To explain how AshleyMadison.com had become “the last truly secure space on the Internet,” and why “companies need to take every measure to ensure the security of their customer’s data.” Oh, the irony. Here’s a look at the message to Scoble:
Second, AshleyMadison.com marketed an extra security feature to its members: For an additional fee of $19, users could sign up for the “full delete” service, which promised to completely erase the user’s profile and all data associated with the user. According to the hackers (and as alleged in several lawsuits), the company did not in fact delete data as promised. Indeed, in their “manifesto” to AshleyMadison.com, the hackers pointed to this alleged fraud—which the hackers claim netted the company $1.7 million in revenue in 2014—as a motivation for their hack.
So what’s a responsible company to do? There is no “Easy” button for effective data security. But if an organization acts reasonably and thoughtfully, hires smart, creative people, devotes appropriate resources, and learns from everyone’s mistakes, it minimizes the risk of a catastrophic data security failure. At DiscoverReady, we’re proud of—but never arrogant about—the industry-leading measures we use to protect our clients’ information. But whatever you do—don’t claim to be the last truly secure space on the Internet.
Have questions about data security or the legal ramifications of data breaches? Contact me and let’s chat.