What Non-Cheaters Can Learn from the Ashley Madison Breach

It’s safe to say that lingering fallout over the Ashley Madison breach in July has prompted a tremendous amount of stunned gasps – and snickers. Count the site’s 37 million members as the primary gaspers. If Ashley Madison works as its slogan states (“Life is short. Have an affair.”), these members signed up to pursue extra-marital hanky panky. Non-cheaters, of course, could gather ‘round the office water cooler and chuckle about the hack with a “serves ‘em right” sense of comeuppance about the victims.

Upon further review, however, it’s clear that the incident remains foreboding for anyone who’s given personally identifiable information (PII) to a website – a state of frequently misplaced trust which should concern cheaters and non-cheaters alike.

A crew dubbing itself as “The Impact Team” took credit for the attack, calling the users “cheating dirtbags” while threatening to expose their names, addresses, transactions and naughty particulars about their accounts, including nude pictures. (A threat the group made good on in August, after dumping 9.7 gigabytes’ worth of data containing account summaries, log-ins, transaction details, etc. For this, Impact Team used what’s called “the dark web,” via an Onion address accessible only through the Tor browser.)

What’s more, the hackers boasted of exposing a false claim on the part of the site’s owner, Avid Life Media (ALM): That through the “Full Delete” service, members could get their PII removed in an irrecoverable manner for $19. The Impact Team said it found personal information of “Full Delete” purchasers still stored on ALM’s servers.

In other words, the entire episode amounts to a messy, er, affair – especially for the site’s members. Fortunately, there are “lessons learned” from the incident which users of any site (even “non cheating” ones) can benefit from:

If a company says it secures its “highly private” site with “industry standard” technologies, check it out. Ashley Madison has said little about the site’s security systems, only claiming to deploy “industry standard” solutions while touting itself as a privacy-respecting service.

In reality, Ashley Madison set up a conflicted business model in which managers held legal free reign over users’ data. It was authorised to keep the data whether users knew it or not. In its privacy policy, the company insisted it could disclose and sell all PII in the event of a sale, merger, restructuring, etc. Obviously, this case will raise thorny legal questions and potential lawsuits in which courts will scrutinise the site’s practices. Until then, don’t be satisfied with an “industry standard” explanation. Consumers need to insist on specific policies, protocols and procedures, because terms such as “private,” “secure” and “encrypted” can mean pretty much anything. What’s key is how technologies and policies come together in the execution.

So if a business says it follows industry standards, then find out whether they provide a summary of the standards in the Terms and Conditions. If not, seek direct responses to direct questions: “What personal information is collected? Where is it stored? How long will it be retained? How is it protected? Is it encrypted? How will it be used? Will it be shared with a third party? Do I have the right to have my PII deleted from your website and any associated data repositories? What recourse do I have if I object to any of your policies?”

It’s not much different than the disclosure requirements of a public company. And these sites are, in a sense, a public trust. (Albeit, in the case of Ashley Madison, that’s stretching the definition of “public trust.”) Therefore, it’s time for users to demand answers to questions about how their PII is protected.

Speaking of those Terms and Condition agreements, you really should read them – in their entirety. Because if you were considering joining Ashley Madison and bothered to read the whole agreement, you’d come across this eyebrow-raiser: That the site strives “to maintain the necessary safeguards to protect your personal data” but “cannot ensure the security or privacy of information you provide.” The agreement indicates that users release “us, our parent, subsidiaries and affiliated entities and ours and their shareholders, officers, directors, employees and agents, successors and assigns from all claims, demands, damages, losses, liabilities of every kind, known and unknown, direct and contingent, disclosed and undisclosed, arising out of or in any way related to the release or use of such information by third parties.”

Whew! Sounds like a monumental copout to us. Yes, accidents and errors happen. But we ought to raise the bar in setting a minimal, acceptable level of effort and investment in shielding our data. Yes, it will cost more money for organisations to constantly track, monitor and react to potential threats and breaches. But businesses should understand that a relative ding to their bottom line is a small price to pay to protect their customers.

Encryption isn’t a cure-all. Companies need to encrypt all customer PII. If you want to apply encryption benchmarks to an organisation seeking your PII, find out whether it closely follows Federal Information Processing Standards, which affect businesses doing work with the U.S. government that involves sensitive but not classified data. That said, even encryption that meets federal mandates isn’t flawless. In order to be used, encrypted data has to be unencrypted at some point. Criminals often target holes in programs which work with the data. So it’s critical to keep the “keys” safe. Doing so is often difficult, underscoring why organisations should not collect more sensitive information than is required to conduct a given transaction, and retain it no longer than absolutely necessary.

Users can – and should – proactively protect themselves. They need to take steps to ensure their PII isn’t exposed online. In the case of Ashley Madison, members who fared the best resorted to one-off e-mail addresses that weren’t associated with their other contact information, and paid with untraceable pre-paid debit cards. (Despite the fact that the site demanded that users accurately submit their names, ages and credit card details.) In addition, when transferring files and sending sensitive communications via e-mail, users can leverage encrypted file sharing services such as our SafeShare, which combines cloud storage with encryption for safer, simpler “encounters.”

Hackers have a moral compass too. (But it’s an odd one.) Well, at least some of them do. Before Ashley Madison, Adult FriendFinder was hacked in May. So we’re seeing a strange and terrifying new type of adversary who justifies attacks with a commitment to vigilantism, yet harbors no ethical qualms about stealing peoples’ data and posting it publically. (Which means outside parties – including criminals – can grab it and exploit it as they wish.) Whether hackers are claiming moral high ground or not, it’s still essentially blackmail and that sets a very scary precedent.

In retrospect, a site like Ashley Madison introduces a wealth of issues – issues which end up as the lead news story on every major network after this sort of massive breach. The site offered such an irresistibly “tempting piece of fruit,” that members were willing to join without carefully examining any security deficiencies.

You’d think someone who wants to cheat on their partner would take extreme precautions to remain anonymous and research how their data is protected. But, for many, the due diligence never happened – and “cheaters” out there will regret their decision all the way to divorce court. That’s a valuable lesson for all of us – the faithful and the faithless – to never forget.

August 27, 2015