Toronto-based Avid Life Media, which owns a group of specialty online dating sites, confirmed this morning that it was the victim of an online attack that exposed a significant portion of its users’ confidential data.
The breach is particularly sensitive given that Avid Life’s biggest site is AshleyMadison.com, aimed at married people looking to arrange extramarital affairs. The group claiming responsibility for the breach calls itself The Impact Team and says it is in possession of details for some 37 million user account, including credit card information, home addresses, and other sensitive details. Security blogger Brian Krebs has provided a thorough breakdown of the situation on his blog, which is well worth reading.
The Impact Team is demanding that Avid Life shut down AshleyMadison.com and its corporate cousin Established Men (aimed at aspiring sugar-daddies), or else it will release the trove of data.
There are a number of things about this situation that are exceptional: Ashley Madison’s user data is more personally sensitive than many companies deal with; and the attackers’ stated motivation is to punish what it alleges is Avid Life’s unethical data-deletion procedures. But there are some takeaways from this attack that all businesses, regardless of their size or industry, need to be aware of.
First is that you are not exempt; most companies are at some kind of risk. Digital security firm Symantec, in its most recent Internet Security Threat Report, highlights one popular type of attack called “spear-phishing”: malicious emails designed to get targeted individuals within your company to unwittingly share sensitive information like email passwords (which could then be used to make further, potentially more far-ranging and damaging intrusions).
Symantec’s chart here shows the prevalence of this type of attack by business size, and even small companies, with 250 or fewer employees, had a 45% chance of being attacked this way in 2014 (2014 figures are in red; 2013 are in grey—you can see the dramatic rise in frequency). The likelihood only rises from there.
A second way in which this data breach is typical now is that it was a concerted attack, and not an accidental spill. Just a few years ago, mistake breaches were more common—laptops lost in airports or databases accidentally exposed online, for instance. Perhaps increased vigilance is paying off in that respect—but it’s hardly much comfort, since targeted attacks are more than filling the gap:
“Insider theft” is also a small but particularly difficult security problem, and in that respect the Ashley Madison hack may also be emblematic: Avid Life CEO Noel Biderman told Krebs that “It was definitely a person here that was not an employee but certainly had touched our technical services.” An insider or former employee armed with a grudge and specialized knowledge of the company’s workings may be a rarer circumstance than the rest, but they have the potential to be far more damaging.