When threats become realityYou may recall in a post last month I referred to the Ashley Madison "hack" which had occurred a couple of weeks prior, at the end of June. At the time the intruders threatened to make public all the data they had exfiltrated, and I pointed out then that this would become a very useful source of secondary information for potential network intruders. The data taken from Avid Media ? the parent company ? that was alluded to at the time was finally leaked less than 24 hours ago, as the intruders threatened they would if the company failed to permanently close down Ashley Madison, and another of its brands, Established Gentlemen. Mainstream news sites are making a big thing about how difficult the information is to get hold of, being on what they term the "dark web". Not true. In fact it can be obtained very readily, so I thought I might investigate a little.
The hazards of emailIt should be noted that Avid appear to have performed no verification of e-mail addresses whatsoever (some of the addresses listed are not even valid) so the quality of the data should be treated as suspect. Specifically, the appearance of an e-mail in the database does not mean the person normally associated with that mail account is necessarily the person who signed up to one of these accounts, and may in fact me the target of harrassment by some other party. That said, we can assume that some proportion of the data is valid, and that from a security perspective the e-mail addresses themselves are at least worth pursuing as a possible line of information discovery for penetration testers and would be miscreants alike.
As I suspected originally, the email trove alone (over 33 million records), has quite a lot to tell us. Even after discarding the addresses of individuals from public mail sites (the like of Hotmail, Yahoo, and GMail, and domestic ISP accounts) there are still over half a million potentially corporate domains listed. Furthermore in many cases the email addresses from public and domestic sites allow us to infer further identifying information about the account holder with reasonable confidence: full names or at least initials, birth years, months, and in some instances even complete dates.
Credit card dataWhilst there is some question as to the validity of any given email record resulting from Avid's lack of verification, there's little room for questioning credit card transactions. The trove contains what may well be a complete daily history of payment card transactions and, although thankfully the card numbers stored are not complete and cannot be misappropriated for other use, it stands to reason they are still sufficiently identifiable that anyone with access to the real card or card records - such as an aggrieved partner or spouse - will be able to confirm the identity with a degree of confidence. At the very least this is going to cause personal upsets for many of Avid's customers and their partners, and cannot help but further damage confidence in their brands.
Weathering the stormThere are two burning questions. Firstly, what will be the consequences be to Avid Media? Will they be able to survive the exposure, particularly of some of the more interesting features of the credit card transaction data? Secondly, what will be the effects on the individuals caught up in these revelations, both in their private and working lives?
The ramifications of this leak could be profound, just underscoring what I said previously. Security of your customers' data is paramount. The damage potential to your brand, and your business, is huge. And whilst it would not be right to intrude on employee's private lives, it is important that they understand the potential consequences of their private actions on their working responsibilities. Even information they might think is safely contained is never fully under their control ever again once revealed to a third party and may - in unfortunate cirucmstances - come back to bite them, and you, at some time in the future.