So we’ve all seen the headlines about Ashley Madison, the adulterer's website as it’s nicknamed. Here’s a taste of what the site’s attitude is like (this is a real advert, not a spoof):
It was the central focus of the film Men, Women & Children, which came out late last year. If you haven’t seen the film and want to know more about Ashley Madison’s operating model, the YouTube clip at the end of this blog is worth a watch.
Interestingly the CEO of Ashley Madison, Noel Bilderman, was interviewed by the Daily Dot in 2013 and this paragraph stands out:
Discretion is Ashley Madison’s highest priority. Biderman has spent millions of dollars on the site’s security, and in the past decade, Ashley Madison has only had about a dozen hack attempts—none of which were successful … thinking of the user’s privacy Ashley Madison is “far and away the best”, Biderman says.
So how did they get hacked? What happened? And what can banks learn from this?
According to Wired:
The hackers from Impact Team told Motherboard, “We worked hard to make fully undetectable attack, then got in and found nothing to bypass….Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.”
John McAfee, the intriguing cybersecurity bad boy of computing, claims that ti was an inside job, organised by a female employee of the company:
- The hacker gained access to “source code” — the “keys to the kingdom” of a company and “the most difficult for any hacker to obtain” because the information is carefully guarded to keep it out of competitors’ hands. “For a hacker to gain all the source code from a company is almost unheard of … unless (they are) going to be competing against Ashley Madison by creating an identical site, that source code has no use to a hacker.”
- The hacker obtained office layouts, which wouldn’t be stored in a centralised database, as well as the latest in company organisational information. Again, McAfee wonders, “of what value is this to a hacker who has already broken into a centralised database” and stolen valuable client information?
- The hacking of a list of stock-option agreements means the culprit would have had access to executives’ private files. “That’s the sort of information that would be … kept in only a few places. It wouldn’t be in a centralised database, it would be in a private file somewhere.”
- The hacker has referred to cheating men as “scumbags” in “vitriolic” manifestos, McAfee says, insisting this is something only a female would say in the context of infidelity. “That statement, ‘Men are scumbags,’ a man is not going to say that usually.”
It makes more sense to me that this was an inside job than a hack, as most bank vulnerabilities will come from an internal rather than external source. So that may be the lesson here: vigilance over key staff activities, especially those with access to code.
Nevertheless, it has resulted in major issues for the company, who are now offering a $500k bounty for the head of the hacker. After all, their business no longer holds any credibility (although I don’t think any of these sites have credibility – just look at AdultFriendFinder or Bang with Friends. Even Ashley Madison’s CTO is accused of hacking competitor's websites, so the risks were all known knowns.
The issues with the company don’t have my sympathy, but the company’s customers does have it. According to Canadian police there have been two suicides so far, and many people are probably involved in domestic disuptes right now. No wonder the site is wrapped up in a $500 million lawsuit, and that’s just for starters.
Meantime, if you do have a family member caught up in all this, do take note that the names released by the Impact Team do not necessarily mean that the person named uses the site. In fact, the Register recommends that you DON’T search for the data leaked as, if you do:
- your computer will almost certainly get infected with a virus if you do
- searching the data could add your name to an online list of likely Ashley Madison users
- the fact that someone's details are in the Ashley Madison data means absolutely nothing at all
Meanwhile, here are the Top 10 hacks of all time, according to Business Insider:
10. TRW Information Systems, June 1984
Number of records compromised: 90 million
How it happened: A stolen computer password
Despite happening over 30 years ago the TWR breach remains on the all time biggest data bungles in history. TRW Information Systems was an American corporation that was involved in a variety of businesses, including aerospace, automotive, and credit reporting until it was acquired by Northrop Grumman in 2002. In 1984 retro-hackers managed to use a stolen computer password to access the firm’s systems and compromise the credit histories of over 90 million people.
9. TJX Companies, January 2007
Number of records compromised: 94 million
How it happened: Hackers infiltrated its network
You may not have heard of TJX Companies, but chances are you’ve shopped in at least one of the store brands it owns. The firm currently owns T.K.Maxx, T.J.Maxx, Marshalls, HomeGoods and HomeSense. In 2007 the firm suffered a data breach that saw a cartel of hackers infiltrate its network and steal 94 million customer credit card numbers and transaction details.
8. The Korea Credit Bureau, January 2014
Number of records compromised: 104 million
How it happened: An inside job
The Korea Credit Bureau investigation alleged the breach was caused by an IT worker who copied the names, social security numbers and credit card details of 104 million customers onto a USB stick before selling them to a marketing firm.
7. Home Depot, September 2014
Number of records compromised: 109 million
How it happened: “A never before seen malware”
The Home Depot hack exposed the details of 56 million customers’ payment cards and 53 million customer email addresses. Official details remain scarce but Home Depot claimed the hackers used a previously unseen malware to evade its security systems, in a statement published just after the incident.
6. Target, December 2013
Number of records compromised: 110 million
How it happened: Hackers broke into its point of sales terminals
The Target breach is believed to have occurred between 27 November and 15 December 2013. It saw hackers break into Target’s systems and steal customers’ credit and debit card numbers, card expiration dates and debit card PIN numbers. In the wake of the breach former chief information officer Beth Jacob resigned from her role in the wake of a data breach in March 2014. Target chief executive Gregg Steinhafel soon followed and stepped down from his role in May 2014.
5. Heartland Payment Systems, January 2009
Number of records compromised: 130 million
Date reported: 01/20/2009
How it happened: A malware outbreak on its payment systems.
Payments service provider Heartland suffered a massive data breach in 2009 that compromised 130 million customers card details. Worse still, during an earnings call following the breach executives revealed the malware used to steal the information was successful because Heartland did not have antivirus software installed on its payment processing network at the time.
4. eBay, May 2014
Number of records compromised: 145 million
How it happened: Hackers used stolen employee details to break into its network.
The eBay data breach is one the worst in recent memory for two reasons. First, because the attack on its network compromised over 145 million customers’ passwords, usernames, email addresses, addresses, phone numbers and dates of birth. Second, because despite being aware of the breach since February 2014, eBay only alerted its customers in June 2014 – a move that naturally angered some of those affected.
3. Shanghai Roadway D&B Marketing Services, March 2012
Number of records compromised: 150 million
How it happened: Believed to be an inside job
The Shanghai Roadway D&B Marketing Services breach is one of the oddest on the list. News of the compromise emerged when Chinese police raided the D&B Marketing Services Shanghai Roadway headquarters. DataLossDB reported the raid stemmed from concerns members of the office “may have illegally bought and sold customers’ information” to companies involved in marketing or phone sales. The true cause of the breach remained murky, though D&B Marketing Services has shutdown the Shanghai office.
2. Adobe Systems, October 2013
Number of records compromised: 152 million
How it happened: Unknown
The Adobe 2013 data breach was massive. Originally spotted by security journalist Brian Krebs on October 3, 2013, the breach was so big Adobe and the security community actually struggled to figure out what information was in the initial data dump. After weeks of research it eventually turned out, as well as the source code of several Adobe products, the hack had also exposed customer’ names, IDs, passwords and debit and credit card information.
1. New York City Taxi and Limousine Commission., June 2014
Number of records compromised: 173 million
How it happened: A bungled freedom of information request
The 2014 NYC taxi data breach resulted from a botched attempt by the commission to anonymise data it was preparing to release for a freedom of information request. Thanks to the failed attempt to anonymise the data the NYC commission inadvertently released 20GB of data the detailed over 173 million taxi customers comings and going around the city. The data included the pickup customers pickup and dropoff location and time and various other titbits of metadata.
That list misses the biggest one in banking:
100 banks lose $1 billion, February 2015
How it happened: Malware attack
A report released by Russian security firm Kaspersky Lab indicates that international hackers have stolen as much as $1 billion from banks around the globe the series of thefts constitutes the largest known bank heist in modern history, affecting more than 100 banks in 30 countries.
And the biggest one of all time (before Ashley Madison)
SONY, December 2014
How it happened: Believed to be an inside job
Again, via exchanges in discrete web forums, it points to an inside job as researchers claim former employees with a grudge helped hackers to navigate Sony’s systems.
So the most likely issue in banking is the inside job or external malware attack, as if we didn’t know. Oh, and here’s that clip about Men, Women & Children