Ashley Madison Reveals Even More: Hacking May Be An Inside Job

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/ashley-madison-reveals-even-more-81416/

In recent years, hacking has infiltrated the retail industry. Hacking has
infiltrated the healthcare industry. Hacking has infiltrated the sports
industry. And now, hacking has now infiltrated the most personal (some
would say immoral) activities we engage in on the Internet.

Last week, Ashley Madison, an international website that facilitates
adultery, publicly announced that it was hacked and that significant
amounts of customer information were stolen as a result. Worse, it was
allegedly hacked by an Ashley Madison customer.

The incident takes the traditional motivations for hacking – high-profile
chaos and high-profile money – to new heights. Namely…extortion. The
hacker(s) are apparently not asking for a monetary payout. They are
threatening to release names and personal information of other Ashley
Madison customers, unless the entire site permanently shuts down
operations. If the headlines are accurate, the hackers’ motivation is
discontent with a service offered by the website that supposedly wipes
clean any trace of a soon-to-be former customers’ affiliation with the
service.  (That service used to cost $19 and now costs $0.)

I have to scratch the back of my head each time I remind myself that this
“front page news” is in connection with a website based on adultery, and
one advertising a slogan that encourages marital affairs and which displays
prominently on its home page a seductive female with her finger over her
lips in typical “shhh” fashion. The woman also sports a stereotypical male
wedding band. Front. Page. News. While the headlines are likely being
driven by prurient interest, there are real public policy and legal issues
at stake here. We should be concerned with this new form of “insider
hacking,” where one customer holds another customer’s information
hostage—and where the threat of public disclosure (and implicit threat of
the lawsuits that could follow) forces businesses to meet hacker demands.

Whether or not one agrees with the premise of Ashley Madison is irrelevant.
And whether or not the motivation behind any alleged hacking is revenge or
spite is irrelevant. If a current or former customer of a service itself
perpetrated the hack, then we find ourselves in a place where not only are
professional sports, retail giants, and banks vulnerable to potential
hacking, but every individual consumer is vulnerable to the potential
hacking capabilities of fellow consumers.

Who among us hasn’t been frustrated by a website’s service before? Ever try
to unsubscribe from a mailing list, only to be told it could take up to a
week to process your request (even though it took you a nanosecond to “sign
up” in the first place)? Most of us would never take that frustration to
the next level. Most of us wouldn’t seek revenge, and even if we did, we
wouldn’t take it out on our fellow customers. “Living well is the best
revenge,” they say. But all it takes is one person – maybe the guy (or gal)
in the cubicle next to you – to disagree.

And with the Ashley Madison hack, the stakes are high for those fellow
customers. Courts have wavered on whether being the victim of a data breach
constitutes harm sufficient to confer standing to sue. You can cancel your
cards, you can monitor your credit, but once you’ve been outed as a
cheater, you can’t put that toothpaste back in the tube. Agree or disagree
with the premise of the site, it’s hard to deny that revealing that someone
is an Ashley Madison user could potentially damage his or her reputation
(perhaps, some would argue, deservedly so). If the information goes public,
will there be a lawsuit? By a show of ring-fingered hands, who is going to
line up to join the putative class? The law in this area is in flux, there
are many kinks to work out, and this hack may have added a new wrinkle.
Beyond the prurient interest, there are many reasons to watch as this story
unfolds – and for your sake, I hope you are just watching from the
sidelines.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!