Naughty Secrets – Findings in the Ashley Madison Breach

• Author: Martin Kratz
• Date: September 28, 2016

A quote attributed to FBI Director Robert Mueller is “There are only two types of companies: those that have been hacked and those that will be”. The assessment of the Ashley Madison cyber-attack has lessons for all organizations who may face this risk.

July 15, 2015 a website run by Avid Life Media Inc. (ALM), called Ashley Madison targeted at people seeking a discreet affair, was breached by a group or person calling themselves The Impact Team. The personal information of members was threatened to be exposed unless ALM shut down the Ashley Madison and another ALM website. ALM did not comply with the demand and on July 20, 2015 reported the breach to the Office of the Privacy Commissioner of Canada (OPC) after the perpetrator had published its demand on the internet July 19, 2015. On 18 and 20 August 2015, the perpetrator published information it claimed to have stolen from ALM, including the details of approximately 36 million Ashley Madison user accounts.

The Office of the Australian Information Commissioner (OAIC) and the OPC jointly investigated ALM’s privacy practices at the time of the data breach, circumstances of the data breach and ALM’s information handling practices.

Lessons from the Breach – Common Steps in a Breach

The incident provides lessons for future victims of cyber-attacks on the likely stages to be encountered in such an incident and illustrates the efforts that can be made to mitigate the damage arising from it.

The first lesson is that a data breach is a crisis management event. From the detection of behaviour in ALM’s database management system to the publication of the threat on the internet and engagement with the OPC all occurred in mere days. Organizations may be overwhelmed by the fast pace with which a breach event expands and objective management of the crisis is required to minimize expanding the damage. Advance preparations, such as the preparation of a breach response plan and training with it, can help to mitigate harm.

A second lesson is to act quickly to stop the furtherance of the breach. ALM acted quickly to stop further access to the attacker. On the same day it became aware of the attack, ALM took immediate steps to restrict the attacker’s access to its systems and ALM engaged a cybersecurity consultant to assist it in responding to and investigate the attack, eliminate any continuing unauthorized intrusions and provide recommendations for strengthening its security. Such steps require access to very capable technical and forensic support. A lesson for future victims is that advance preparation and engagement of such experts may result in faster response when faced with a breach.

After the publication the breach became a media event. ALM issued several press releases on the breach. They also set up a dedicated telephone line and an email inquiry system to allow affected user to communicate with ALM about the breach. ALM subsequently provided direct written notification of the breach by email to users. ALM responded to requests by the OPC and OAIC to provide additional information about the data breach on a voluntary basis. The lesson is that a breach response plan should anticipate the various elements of communication to the affected individuals, to applicable regulators, to the media and others.

ALM conducted a substantial reassessment of its information security program. They hired a Chief Information Security Officer who reports directly to the CEO and has a reporting...