On July 15, 2015, the website for the Ashley Madison dating service was hacked by a group calling itself the “Impact Team”. For about a month, the group members threatened to post the information they held online, eventually realizing their threat by making the website’s complete database public.
As in previous high profile hacking incidents (Target, Home Depot, JPMorgan Chase and others), most media discussion focused on the personally identifiable information (PII) of the Ashley Madison clients that was exposed following the hack. As a provider of targeted Cyber Threat Intelligence, KELA sees this type of attack frequently, and based on the knowledge we’ve accumulated we would like in this post to present a different perspective regarding the dangers of a Cyber Attack.
The following information was identified and collected automatically by KELA’s web based RaDark service, which emulates the hacker’s reconnaissance process, enabling the customer to see any actionable information that may be harmful to their organization’s cyber security. The system uses a combination of advanced filtering algorithms, along with several hundred Dark Net and Open Source Intelligence (OSINT) information sources, constantly maintained and refreshed by KELA’s cyber analyst team.
As part of the hack of Ashley Madison’s servers and systems, the hackers obtained and published a wealth of information that has harmed, or may harm the company in several ways. Following are a few examples.
Danger of physical harm – among the hacked documents the RaDark system found blueprints of the company offices, including detailed information on the work spaces and rooms in the building, names of employees at their workstations, physical layout of communication components and more.
Apart from this information being relevant to offensive cyber activities against the company, its exposure enables attacks in the physical world, which can put the company and its employees in danger.
Sensitive information about company employees compensation – since most companies work on an individual contract basis (i.e. salary, employment terms, bonuses, stock options and more), the principle of information confidentiality is a key factor which must be maintained. Exposing the pay gaps between various employees compromises the delicate balance in managing the company’s workforce. As part of the cyber attack on Ashley Madison the following data was exposed: staff salaries, the company’s option agreements, a breakdown of quarterly bonuses distribution and more.
Exposing internal-only / confidential information to clients and competitors – in this breach, our system found several such instances:
- Corporate control procedures and risk management, which detail bugs and failures in the company’s systems, which might pose a threat once exposed.
- Information that the company had known about in advance but took no action to prevent from escalating, or didn’t warn about beforehand, and which now leaves it exposed to claims and protests.
- A document titled “Areas of concern – customer data” revealed that Ashley Madison was actually aware of the risks of exposing its clients personal information: “… A hacker or bad actor gaining access to our customer service gmail credentials and gaining access to customer data.”
- Sensitive information about corporate systems and software – a cyber attack is not a “one time” event. Typically, the hacker will begin from a certain point and will work their way up according to the information they find. Sometimes, a single file could allow a hacker to cause much more extensive damage:
Sensitive statistics of data usage in the company’s products – one of the major corporate trade secrets is usage data regarding the users and the type of activity they are engaged in when using the company’s services. The Ashley Madison hack revealed a wealth of usage statistics – defined by the company as “Confidential – Not for External Distribution”, including number of visitors, signups and conversion rates.
Critical financial information – from significant information about the company’s financial situation (for example, documentation of a shareholder loan), details of the company’s bank accounts, details of its means of payment (for example, Ashley Madison’s PayPal usernames and password) and all the way to bottom line dollar figures .
To find out more about RaDark and KELA’s targeted Cyber Threat Intelligence, Please reach us on firstname.lastname@example.org or call our local offices.