Summary of the Case
On July 12, 2015, employees of ALM arrived at work to find a message from a group calling themselves the “Impact Team” (IT) threatening to release company and customer data unless the Ashley Madison and Established Men websites are shut down. The message was further characterized with the AC/DC song "Thunderstruck” playing when the message was opened. IT had stolen the personal information of the users of both the Ashley Madison and Established Men websites. The IT group threatened to release all of the data that it had stolen if Avid Media did not shut down their websites immediately (Lord, 2017).
|
One week later, on July 19, 2015, IT published their warning message on the site Pastebin setting a 30-day window for ALM to shut down the sites before they release the stolen information. Pastebin is a website that allows users to share plain text through public posts called “pastes.” There are many similar web applications, known as “pastebins” or “paste sites,” that have developed since the original Pastebin was launched in 2002. Users use Pastebin to share plain text blocks with others using a that allows other users to access and easily access and edit the shared text. While paste sites mainly support innocuous text-sharing, they have also become popular platforms for illegal activities, such as sharing dangerous source codes and leaking breached data (Lord, 2017; Masfield-Devine, 2015; Rouse, 2011).
The next day, ALM issued public statements acknowledging that there had been a data breach but did not reveal the severity of the breach (it is unclear if ALM knew the extent of the breach at that time). One of the public statements said that, “an attempt by an unauthorized party to gain access to our systems.” and announcing a joint investigation conducted by Ashley Madison, law enforcement, and the cybersecurity service provider Cycura. To demonstrate that they did indeed have ALM user data, IT released the names and information of two Ashley Madison users (Lord, 2017; Avid Life Media, 2015).
ALM viewed IT’s threats as unfounded hacktivist threats and chose not to shut their sites down. It is unclear if ALM believed they would find the perpetrators before the 30 day time-frame set by IT expired, but it is clear that they did not sufficiently predict the damage that IT could cause to their operations. In any case, after the 30-day deadline expired, IT would fulfill their threat and start releasing the stolen data. On, August 18, 2015, in a Pastebin post titled "TIME'S UP," IT publishes the first large Ashley Madison user data dump containing nearly 10 gigabytes of user email addresses (Lord, 2017; Avid Life Media, 2015).
ALM, investigators, researchers, and media outlets begin to analyze and validate the released data. A categorical breakdown of the email addresses revealed many government, military, and corporate addresses that were used by users to establish accounts with ALM sites. After a great deal of media frenzy over the validity of the leaked data, an American journalist closely associated with investigating cybercrime, Brian Krebs, discloses that numerous Ashley Madison account holders confirmed that their information was publicly disclosed (Lord, 2017; Masfield-Devine, 2015).
Two days later on August 20th, IT leaked a second large dump of ALM’s data. Unlike the first data dump, which was primarily user data, the second dump contained nearly 20 gigabytes of mostly internal data that included the ALM CEO’s emails and Ashley Madison website source code. Vice News, a media source that produces daily documentary essays and video through its website and YouTube channel, obtained an email address connected to IT through an “intermediary” source. After sending an initial email, Vice News received a response signed with the same PGP key posted with the Ashley Madison dumps (PGP stands for “Pretty Good Privacy” and it is a proprietary encryption software that increases the security of e-mail communications). Through the email exchange with Vice News, IT claimed to have over 300 gigabytes of hacked Ashley Madison data. When asked to provide details about their attack, IT claimed that it was easy saying, “We worked hard to make fully undetectable attack, then got in and found nothing to bypass.” IT went on to say that ALM's security was poor, especially for a company that sold themselves as extremely secure. IT’s comment on ALM’s security was: “Bad. Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.” IT went on to say that they had been hacking ALM for several years (Lord, 2017; Masfield-Devine, 2015).
The third Ashley Madison data dump occurred on August 23, 2015. In this dump, the leaked data included a full list of government emails used for accounts (sorted by department) as well as lists of Ashley Madison users in Mississippi, Louisiana, and Alabama. In this dump, the user information provided included email addresses, mailing addresses, IP addresses, signup dates, and total amounts spent on Ashley Madison services. IT will continue data dumps state-by-state until August 26, 2015 when they appear to have released all of the data that they had stolen (Lord, 2017; Masfield-Devine, 2015).
The next day, ALM issued public statements acknowledging that there had been a data breach but did not reveal the severity of the breach (it is unclear if ALM knew the extent of the breach at that time). One of the public statements said that, “an attempt by an unauthorized party to gain access to our systems.” and announcing a joint investigation conducted by Ashley Madison, law enforcement, and the cybersecurity service provider Cycura. To demonstrate that they did indeed have ALM user data, IT released the names and information of two Ashley Madison users (Lord, 2017; Avid Life Media, 2015).
ALM viewed IT’s threats as unfounded hacktivist threats and chose not to shut their sites down. It is unclear if ALM believed they would find the perpetrators before the 30 day time-frame set by IT expired, but it is clear that they did not sufficiently predict the damage that IT could cause to their operations. In any case, after the 30-day deadline expired, IT would fulfill their threat and start releasing the stolen data. On, August 18, 2015, in a Pastebin post titled "TIME'S UP," IT publishes the first large Ashley Madison user data dump containing nearly 10 gigabytes of user email addresses (Lord, 2017; Avid Life Media, 2015).
ALM, investigators, researchers, and media outlets begin to analyze and validate the released data. A categorical breakdown of the email addresses revealed many government, military, and corporate addresses that were used by users to establish accounts with ALM sites. After a great deal of media frenzy over the validity of the leaked data, an American journalist closely associated with investigating cybercrime, Brian Krebs, discloses that numerous Ashley Madison account holders confirmed that their information was publicly disclosed (Lord, 2017; Masfield-Devine, 2015).
Two days later on August 20th, IT leaked a second large dump of ALM’s data. Unlike the first data dump, which was primarily user data, the second dump contained nearly 20 gigabytes of mostly internal data that included the ALM CEO’s emails and Ashley Madison website source code. Vice News, a media source that produces daily documentary essays and video through its website and YouTube channel, obtained an email address connected to IT through an “intermediary” source. After sending an initial email, Vice News received a response signed with the same PGP key posted with the Ashley Madison dumps (PGP stands for “Pretty Good Privacy” and it is a proprietary encryption software that increases the security of e-mail communications). Through the email exchange with Vice News, IT claimed to have over 300 gigabytes of hacked Ashley Madison data. When asked to provide details about their attack, IT claimed that it was easy saying, “We worked hard to make fully undetectable attack, then got in and found nothing to bypass.” IT went on to say that ALM's security was poor, especially for a company that sold themselves as extremely secure. IT’s comment on ALM’s security was: “Bad. Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.” IT went on to say that they had been hacking ALM for several years (Lord, 2017; Masfield-Devine, 2015).
The third Ashley Madison data dump occurred on August 23, 2015. In this dump, the leaked data included a full list of government emails used for accounts (sorted by department) as well as lists of Ashley Madison users in Mississippi, Louisiana, and Alabama. In this dump, the user information provided included email addresses, mailing addresses, IP addresses, signup dates, and total amounts spent on Ashley Madison services. IT will continue data dumps state-by-state until August 26, 2015 when they appear to have released all of the data that they had stolen (Lord, 2017; Masfield-Devine, 2015).