Insights on the Ashley Madison data leaks
In a response to the Ashley Madison data leak update Tod Beardsley, security engineering manager at Rapid7, made a statement detailing his personal opinions on the situation. He stated:
“Curiosity seekers, suspicious spouses, and divorce attorneys would do well to avoid
wasting too much time hunting for “one true and correct” Ashley Madison dump on
their own. While the dump from last night appears to be credible among the few
forensic experts who have looked at it, the data itself in the “real” dump is rather
suspect. In addition, even fake data can hurt real people.
For starters, it’s trivial to set up a fake account on Ashley Madison, since Avid
Life Media’s (ALM’s) account setup procedures encourages, but does not require, an
e-mail address to be verified by the user. This might be done for a variety of
reasons by actors ranging from pranksters to bitter divorce rivals.
Second, the majority of “real” account holders tend to use fake, throw-away data and
details, for obvious reasons. If some of those fake details happen to coincide with
a real person, then it can create a sticky problem for that real person.
Finally, even if the real data is a real person, and that person really registered
for the site, there is no indication in the data if that person was successful at,
or even intending to, pursue an illicit affair.
One of the appeals of online dating sites — especially niche ones like ALM’s
services — is the ease of entry combined with the anonymity of the Internet.
According to discussions on Reddit’s various relationship and dating groups, Ashley
Madison users as well as users of other “edgy” dating services, appear to be just as
likely to be fantasising “tourists” as they are to be serious martial cheaters. For
these people, the perceived anonymity and ease of signup, even without intent of
follow-through, can spell trouble at home when that anonymity is blown.
Dating sites of all types are trusted with perhaps the most sensitive, personal data
imaginable. Not only credit card payment information and personal identifiers such
as addresses and phone numbers, but personal details that few people would be
comfortable discussing in public. While it’s still unclear how the breach at ALM’s
properties occurred, I’m hopeful that CISOs around the world take securing customer
data to heart in light of these events, especially when those CISOs are entrusted
with the emotional, psychological, and physical well-being of their customer base.
As security researchers and onlookers, we should also be mindful that this breach is
not just another object lesson for CISOs. As with many breaches, this dataset can
severely impact the real lives of real people, but this set goes beyond the normal
health and privacy concerns: some people are literally put in physical danger if
their details are connected with Ashley Madison. Among the at-risk population
include physically and emotionally abused spouses, people coping with sexual
orientation, gender identity, and addiction and compulsion issues, and the children
of people who are named, falsely or accurately, in the datasets.”
Image source: Ashley Madison