TORONTO, July 20, 2015 — We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.
We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.
We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.
Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.
SOURCE Avid Life Media, Inc.
This one is a rather difficult situation to absorb, much like the OPM style hack.
If you think of the possible combinations of these hacks can reveal, it becomes really dangerous for those that have used the AM site.
Its not just about their (potentially former) spouses, but for the curious who like to gab and create hate and discontent, it can smear ones’ reputation and may impact job “purity” and stress work related situations.
It opens the world to blackmail/extorsion when combined with other information such as the OPM hack.
I am sure many a government would like to see which higher level personnel have utilized the AM website, and what type of “quirks” come with it.
No matter what the staff at AM says, the person was utilized by them. If they can have a personnel file in front of them this quick, without going through red tape and proper channels required during breach protocol, the staff must have had close ties to the person regardless if they worked directly for AM or not.
I personally think its a cry of desperation of AM – to make the hacker think they are hot on their heels, and that not dumping any more data will save them. People who indulge in this hacking behavior seem numb to the consequences until after they are caught and sitting in a cell awaiting sentencing. They have a burning desire to do harm and a high percentage of these hackers/insider threats actually carry out their promises.
IF AM had a random screening of employees on a routine basis, and if the security side of the house was doing a better job of watching the staff habits at work, I am sure they could have found this insider risk a lot sooner. If indeed its over a 20 dollar bill charge to clear out their info, its going to cost that person – and everyone else – a lot more pain and agony.
In the current times where companies that are falling like crazy, a company, agency or otherwise that does not do due diligence or due care is guilty. There is no forward thinking, no proactive steps to limit damage, no self assessment, no scrubbing or limiting of privileges. Who needs access to all of the data that the hackers supposedly have? If it is an insider job, it still doesn’t matter – there is no restriction on the amount of data this account or entity had access to.
Spitting fire about the morality of this site isn’t going to make any difference in the outcome. They offer a service, one that is highly questionable. It takes a dedicated act to commit to these services. If people want to opt in, whether married or single, it is on the person not the company. If no one wanted this type of service, then the company would have folded a long time ago. Then these clients if you will, would have wandered to some other websites that might have had less security or offered their data up for sale without notifying the people in general.
If anything, the AM site just received a lot of free publicity. I wonder how many more individuals will learn about the site and consider joining once the site is cleaned up. Time will tell. Its just like Hollywood – want to be recognized? get hitched, divorced, thrown in therapy or otherwise.
Many that utilized the service can simply say, oh, I simply was curious what this site was all about and left on the end of the free trial. Some of that might be true – but, if the significant other gets a whiff of them on any website like this, they may be branded as untrusted, and might find the significant other on the same website in years to come – just for the trial, of course.
I liked this part from their breach notification:
“this act of cyber–terrorism”
Sounds frightening!
What also caught my attention is this:
“.. with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.
We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. ”
However, when you read their privacy policy they state they only use the standard stuff, and encryption appears to only be used when peoples’ data are stored to disk. Why no encryption here? Was it all in a buffer? Stored on a USB key? If confidentiality is so important, why was this data in the clear and why the use of standard commercial security protections?
Privacy policy states:
Security
We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to “firewalls”, encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.
What kind of encryption do they have? Standard stuff that can be cracked on a five dozen websites? What does “strong” mean?
All I want now is to be able to look up the names to see if any politician or lawmaker was stupid enough to pay for this “service” with their real name. Seems we can also maybe check if they paid for the “Affair Guarantee”. That makes for a fantastic bonus!
Also, why is it that it took this hack for Ashley Madison to finally allow people to completely delete stuff w/o deletion fee’s? Seems to me (in my opinion) they may know that some cheating hubby or wife may want stuff removed and took advantage of people with this fee. Very wrong. Per Ars:
http://arstechnica.com/business/2014/08/cheaters-hook-up-site-ashley-madison-makes-account-deletion-confusing/
Ashley Madison’s “directions on how to do so can be confusing to the point where they appear misleading.” And once you read that ARS article you will perhaps agree.
Their puff-piece up above doesn’t cut it for me.
Cougarlife.com, which was also affected, appears to be the exact same thing, right down to your “Cougar Life Ultimate Catch Guarantee Program”.
I’m going to start divorcedduetohax0rlife.com
However, I will not state in my privacy policy how confidentiality means the world to me while having Norton Antivirus running on my servers.
Perfect. Go register that domain right now! 🙂
Catch-22, if I reg a site and spend time on it, the better-half will divorce me. 😉 We could end up meeting all over again on my new website!
looking around online I am seeing everyone blaming and hating on the customers of this “cheating” website.
This reminds me of that “Gabriella” Vs Rogers situation where her husband left her because Rogers Communications decided all on their own to remove her as the account holder of her own cell phone contract and put it in her husbands name where he then saw where/who she was calling.
The majority of people hated on her and blamed her, not much unlike this situation.
Ref:
http://www.pogowasright.org/woman-who-blames-rogers-for-exposing-affair-says-she%E2%80%99s-not-alone/
As you said back then, “I think some people will be unable to look at the privacy issue because they’ll get blindsided that it was a “cheating” situation.”
Seems like sort of a repeat.
I’d love to see how PrivCom would rule on this. I hope someone files.
The two things that stand out the most for me here are these:
1. Deletion of info comes with a premium fee, and though free deletion is available it appears it was not purposefully made very clear how to perform it. Thus if you wanted your account deleted and couldn’t make out the difficult or misleading instructions you had to pay (which might not have been within everyone’s reach $).
2. Section 7: Use appropriate safeguards
I’m a spousal cheating website operator and I know there will be major ramifications if I don’t use appropriate safeguards that will lead to divorce, child custody issues, physical abuse, mental anguish/abuse, depression, high costs, and so forth.
A) So in my infinite wisdom, with the knowledge of above in mind, I will use run-of-the-mill standard stuff for security and protection like what my privacy policy states.
B) They sure patched the security issue fast as if they knew right where to look. As if they already knew but never acted on it (I could be wrong, it comes across this way).
C) The statement about how they use standard commercial stuff yet “strong encryption”. Was this stuff encrypted or not? If so, exactly how “strong” was the encryption. Was it “strong” enough for a spousal cheating website and all the damage/ramifications that comes with this type of site?
I want to know what PrivCom thinks is “appropriate safeguards” in this situation, and if standard run-of-the-mill off-the-shelf security is adequate in relation to the damage that can/will occur.
There could be more, but those two stood out for me on first thought.
anyhow, I’m just cranky :/
All good points – especially quoting me from a past, similar breach. Yes, the moralists have come out in force. It’s like they’ve forgotten that EVERYONE has something to hide, and inadequate infosec can bite them, too.
Just to toss some stats out there…. Ottawa (Canada’s capital) people are the #1 cheaters per capita of this website.
Second place is Calgary.
Ref:
http://ottawacitizen.com/storyline/hackers-breach-cheating-site-ashley-madison-and-threaten-to-release-info-the-sites-1-canadian-user-base-ottawa
I see multi-class actions happening very soon. But I say the states will be first, though Canadians may have a better chance of getting the class action certified for the go ahead.
The arbitration clause and class clause of AM’s ToS hold no water in certain prov’s in Canada. Not sure about the states.
In addition to the non-disclosed 20$ delete fee, there is the issue of keeping your data in perpetuity if one terminates w/o paying the deletion extortion fee (ie retention past it’s intended purpose).
I will be very curious to know how many people took the free trial offer type thing, terminated, then balked at the delete fee which is not disclosed. That is so wrong for an adultery web site whose main business model is privacy and the safeguarding of privacy.
AM did not remove the deletion fee for nothing. This alone is likely actionable.
I get more cranky as I think about this hack.
Some people may not want to join a lawsuit that will further “out” them as users of the site, but I’m confident that there will be some people who will sue.
If a class action is started, Canadians need not be named/outed. Case in point is once again that Gabriella VS Rogers case. I don’t believe that was her real name.
“Privacy Lawyer” also makes mention that users need not be outed in this CBC piece (5th last para):
http://www.cbc.ca/news/technology/ashley-madison-could-face-class-action-suit-after-massive-data-breach-1.3160790
“… precedent in Canadian law for protecting class-action participants’ identities; so users of the site wouldn’t necessarily “out” themselves if they took part.”
Also, from what I have seen and experienced, once a class is started it’s open to all affected. One need not sign up till it’s time to roll out the dough (if there’s a win). Enrollment is automatic. But I don’t know if this is true for all cases.
In the UK, from what I just read (last para):
http://www.theguardian.com/world/2015/jul/21/ashley-madison-adultery-site-hack-will-i-be-found-out-what-you-need-to-know
“… those who wished to sue the company would have to apply for a court order in order to remain anonymous.”
I have no clue about the U.S. and the dozen other jurisdictions affected, but i’m curious about it.
What I don’t know is if people will wait for a data-dump, or the fact that Ashly Madison was more or less holding peoples stated lust for extra-marital affairs hostage for 20$. Their business model is privacy and the safeguarding of privacy, but they had this undefined 20$ fee which to me after reading all their policies, is only visible once you sign-up and is too late. They have you by the balls at this time. They then failed in their business model of privacy and the safe-guarding of. So you either pay, or stay as a databased adulterer in perpetuity. Hostage situation here with extremely sensitive info which has come back to bite AM in the buttocks and all their users.
Their hostage fee, per the reports, raked in almost 2-million annually, so 100K people paid them off. And then there is the undisclosed hundreds of thousands of people who would not, or could not pay the undisclosed fee. So AM kept their PII in perpetuity as punishment for not paying them off and now lost it all.
Which is why I stated I see more than one issue and potentially more than one class action. Plus it is doable without being outed (at least in Canada and the UK it appears).
But what do I know. I’m just cranky, in need of coffee, and seeing slime (not in the people, but rather in the business model).
Helpful point about Canadian law protecting identities in litigation. Thank you.
More info on Ottawa. It isn’t relevant to anything I guess, more of a curiosity, but I found it interesting.
Ottawa, the city fun forgot, tops on infidelity website
http://ca.reuters.com/article/domesticNews/idCAKCN0PV26H20150721
On page 1:
“One in five Ottawa residents allegedly subscribed to adulterers’ website Ashley Madison, making one of the world’s coldest capitals among the hottest for extra-marital hookups – and the most vulnerable to a breach of privacy after hackers”
On page 2:
“The hotbed of infidelity was also the seat of power: The top postal code for new members matched that of Parliament Hill, according to Avid Live chief executive Noel Biderman in a newspaper report published earlier this year.”
The movers and shakers of Canada must have had an unexpected movement 😉
Heh. Tweeted that fact. Thanks!
I know this may sound stupid, but, one of your tweets made me think of something and I now have questions that maybe someone can answer.
Breach Notification.
In this case I see both paid versus unpaid. Both physical address and no physical address.
How is breach notification going to occur here? Has Ashly Madison (Avid Life Media Inc.) stated anything about notifications? Have any notifications gone out to say that peoples most intimate of details have been breached?
Will they send an Email only? Is every Email still valid? Even those who left AM and wouldn’t/couldn’t pay the 20$ extortion fee for deletion?
Will they send snail-mail in a plain brown paper envelopes that someones wife/husband may open?
How could a company with this type of business model prevent further harm via breach notification? I see breach notification in this particular case as possibly causing more harm, depending on how they communicate with people.
Or, is the potential for further harm reason enough to not notify people?
I’m curious about individual breach notifications, perhaps the requirement to notify, for: Canada, the US, AU, and the UK. Any rules on the book for this in these jurisdictions?
Stupid question maybe. But i’d get curious if I saw a plain brown envelope in the mail box addressed to the better half knowing about this data breach. I wouldn’t open it, but it would have me thinking that maybe I too should have an affair! 😉
Breach notification for an adultery site. I never thought of this angle before.
PrivCom:
https://www.priv.gc.ca/information/guide/2007/gl_070801_02_e.asp
Anything newer or more targeted for individual notification?
I’ve reached out to Avid Life Media to put the question to them. If/when I get a response, I’ll post it. You’ve raised some excellent questions (as usual!)