Compliance , Data Breach , Privacy
Infidelity Dating Site Agrees to Privacy, Security OverhaulAshley Madison, the extramarital online hookup service breached in 2015, has agreed to bolster its security and make key data retention changes after regulators in Australia and Canada ruled that the site had violated local privacy laws (see Ashley Madison Breach: 6 Lessons).
See Also: A Smarter Approach to Third-Party Vendor Risk: A Case Study
Both the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner found Avid Life Media, the Toronto-based company that runs the website, did not have documented information security policies in place or proper breach detection capabilities. The company violated both Canadian and Australian privacy laws, regulators ruled.
"It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework," the regulators say in a summary of the investigation published Aug. 22.
In one of the more damaging findings, ALM acknowledged fabricating a medal icon and other "trustmarks" that were displayed on Ashley Madison's homepage. The marks implied the website had strong security, which deceived users in order to get their consent, the regulators say.
The Ashley Madison breach, one of the most high-profile incidents of last year, was particularly sensitive give the lurid nature of the service. In mid-July 2015, a group calling itself the Impact Team gave ALM an ultimatum: shut down Ashley Madison and a related site, Established Men, or else the attackers would dump user data.
The Impact Team claimed that Ashley Madison was a fraud and opposed some terms of the website, which included having to pay a fee for the full erasure of an account.
The company resisted, even after the group leaked a small sample of data. The Impact Team then released three dumps, comprising nearly 30GB of data. The files included customer names, email addresses, postal codes, partial credit card numbers, hashed passwords, GPS data and the amount paid for subscription services for some 36 million accounts (see Researchers Crack 11 Million Ashley Madison Passwords).
Also released were embarrassing internal companies emails, including those of former CEO Noel Biderman; source code for some of ALM's websites; financial records and company documents.
In July, ALM officials told Reuters that the U.S. Federal Trade Commission is also investigating the breach. The company also faces a raft of class-action lawsuits tied to the disclosure of personal data and charges that it manipulated male customers by using automated chat bots (see No Surprise: Ashley Madison Breach Triggers Lawsuits).
Security Overhaul
In July, Avid Life Media changed its name to Ruby Corp., announced that it had hired a new CEO and dropped the infamous Ashley Madison tagline - "Life is short. Have an affair." - in favor of "Find your moment." It also now bills Ashley Madison as "the original extramarital affairs site" (see Ashley Madison Seeks Security Reboot).
ALM - now Ruby - has agreed to comply with an extensive set of conditions and deadlines laid out by regulators. The government agencies could take the company to court if it fails to meet those conditions.
For example, by May 31, 2017, the company must implement a policy to delete deactivated or inactive accounts after an "appropriate period," according to the terms, signed by James Millership, president of ALM/Ruby.
Prior to the data breach, ALM had charged users $19 for a "full delete" to scrub their personal data from its systems - an unheard of fee for a web service. But based on data leaked by the Impact Team, it appeared that the company not only didn't scrub any personal data, but also didn't fully delete users' accounts after they paid $19. The company eventually dropped the fee.
If the company chooses to continue to require users to submit an email address, it will have to take steps to ensure the accuracy of that information, regulators say.
For starters, all staff and contractors with network access to ALM will be required to have security training. The regulators found 75 percent of the company's staff had not received general privacy and security training. Ironically, ALM was in the process of developing written security policies and procedures when the breach occurred.
The company is also required to put in an information security management framework, along with process and policies, which will be verified by a third party. A report on the effort is due by July 2017.
Regulators Detail Lackluster Defenses
While ALM had some breach detection and monitoring capabilities in place, those tools were more focused on site performance issues and monitoring employees' access to customer data, regulators say.
"ALM had not implemented an intrusion detection system or prevention system and did not have a security information and event management system in place or data loss prevention monitoring," the agencies say.
The attackers stole account credentials for an employee, then used those credentials to gain access to the corporate network and compromise other accounts. After several months of lurking inside the company's network, the attackers appeared to have mapped ALM's network topography and exfiltrated customer data.
The hackers took some care to mask their activity. The regulators say that the infiltrators used a VPN, allowing them to sport IP addresses that made them appear to be located in Toronto. Once inside the system, the attacker deleted log files, which made it harder to trace the intrusions.
ALM provided regulators with other evidence of its poor security practices. For example, plaintext passwords were found in emails and other text files on the network. Encryption keys were also stored as plaintext. One server had an SSH [secure shell] key that was not password protected, which allowed an attacker to connect to other servers.
ALM employees used a VPN service to log into the network. But a shared secret for the VPN service was stored on Google's Drive service. The regulators noted that "anyone with access to any ALM employee's drive on any computer, anywhere, could have potentially discovered the shared secret."
Site Still Running
Perhaps the most startling aspect of the Ashley Madison incident is that the site is still running. After the breach, researchers combed through the user data and came to the conclusion that most customers were male.
An analysis by Gizmodo - based on source code and internal emails - pointed to ALM propping up activity on the site by using an army of chat bots that presented themselves as female. The bots - referred to as "hosts," "engagers" or "fembots" - would chat up male site visitors, making it appear women were highly active on the site.
Even if Ashley Madison was more fantasy than it let on, the dating site was immensely lucrative. ALM told regulators it brought in $100 million in revenue in 2014. According to Reuters, ALM says its 2015 revenue was $109 million, with a profit margin of 49 percent.