Ashley Madison admitted "large lack of security awareness" before hack, document reveals

Senior Avid Life Media employees, including CEO and CTO, flagged security concerns before hackers stole 37 million customers' data

Ashley Madison was guilty ofa "large lack of security awareness" only a month before hackers stole 37 million users' details from the dating website, according to an internal document seen byIT Pro.

The company, which provides a service for people looking to cheat on their partners, also had"a lack of review on security measures", a note in a file titled CSF (critical success factors)Questionnaire, andcompleted by 17 senior employees, admitted.

Advertisement - Article continues below

The internal survey was completed over the middle of June, just one month before Ashley Madison's defences were breached by hackers who threatened to put millions of customer records online if the company's owner, Avid Life Media (ALM), did not shut down the site.

Today the group of cyber criminals, known as Impact Team, made good on its threat and published between 30 million and 33 million records on the dark web, including people's email addresses, credit card numbers and personal details extending to sexual fantasies.

The respondents, who included the CEO and CTO, brought up security matters repeatedly - a fact that is highlighted by the footnote.

When asked in which areas he would hate to see anything go wrong, CEO Noel Biderman highlighted "data exfiltration" and "confidentiality" of customer information as key areas, adding: "An insider data breach would be very harmful. Have we done good enough a job vetting everyone, are we on top of it."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Trevor Sykes, CTO of parent company Avid Life Media (ALM), also raised similar issues, citing "protection of personal information" and security concerns arising from "bad internal actors" four separate times in his responses.

He added: "I would hate to see our systems hacked and/or the leak of personal information."

In a statement included in its first data dump, Impact Team mocked his concerns, quoting his fears before writing: "Well Trevor, welcome to your worst f*cking nightmare."

However, while director of product management Amit Jethani similarly spoke of his "fear of [a] data leak outside our walls", Impact Team made clear that director of security Mark Steele had done everything he could to bolster Ashley Madison's security, before claiming that nothing could have prevented the attack.

The data breach is likely to have far-reaching consequences for Avid Life Media, Ashley Madison and its customers, with security analyst Graham Cluley warning that exposing people as customers of the service could have devastating ramifications.

Advertisement - Article continues below

He wrote in a blog post: "It's easy to imagine that some people might be vulnerable to blackmail, if they don't want details of their membership or sexual proclivities to become public.

"Others might find the thought that their membership of the site - even if they never met anyone in real life, and never had an affair - too much to bear, and there could be genuine casualties as a result.And yes,I mean suicide."

He and others have pointed out that Ashley Madison does not verify email addresses, meaning a customer could sign up with someone else's email, and Impact Team's data dump would often only suggest that the person whose email address was used was the customer.

Executives writing in the CSF document also noted that the potential consequences of a hack would be critical issues for Avid Life Media and its brands.

For instance, Avi from 'Legal' (possibly Avi Weisman, VP and GM of ALM ), raised the spectre of a class action lawsuit as a potential concern something that Impact Team has explicitly advocated, advising victims that "it was ALM that failed you and lied to you. Prosecute them and claim damages".

Advertisement - Article continues below

DespiteKevin McCall, vice-president of operations, claiming "security has become more critical", Impact Team claimed it was easy to hack the site.

"For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never p***ed anyone off," the cybercriminal group wrote.

Claiming it has also been gathering this information over "the past few years" may imply - if true - that Impact Team has had access to ALM's network for a huge amount of time without anyone in the company's security team realising, or that it has received insider help.

IT Pro has contacted Ashley Madison for comment. An existing statement from the firm addressing the hack read: "This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.

Advertisement - Article continues below

"The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/security/phishing/355810/zloader-malware-returns-as-a-coronavirus-phishing-scam
phishing

ZLoader malware returns as a coronavirus phishing scam

27 May 2020
Visit/security/hacking/355806/anarchygrabber-hack-steals-discord-tokens-ids-and-passwords
hacking

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020
Visit/security/hacking/355801/scammers-using-coronavirus-contact-tracing-in-hacking-attempt
hacking

Scammers leverage contact-tracing in hacking attempt

27 May 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
Visit/policy-legislation/data-protection/355835/nhs-yet-to-understand-the-risks-of-holding-test-and-trace
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020