Security Experts After AshleyMadison.com Hack: Your Data Is at Risk Everywhere

ashleymadison.com hack reveals wider data risk
Security experts say the Ashley Madison hack shows the risk of having data online. AshleyMadison.com

AshleyMadison.com, a website that facilitates adultery among married Americans and their paramours, has been hacked, potentially putting 37 million users’ personal and private details at risk, according to security researcher Brian Krebs.

The website's parent company, Avid Life Media (ALM), told CNBC it used the Digital Millennium Copyright Act to successfully remove all sensitive data that hackers posted online, but the story is far from over. The hackers (or hacker), calling themselves "the Impact Team," claim they hold all the data on the company's user base and have threatened to dump it online if some of ALM's sites are not shut down.

Related: AdultFriendFinder Leak: Sex Site Hacked, Is Your Intimate Info Online?

ALM Chief Executive Noel Biderman told security specialist Brian Krebs of Krebs on Security the hack was very likely an insider attack performed by a former employee or contractor.

"We're on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication," Biderman told Krebs. "It was definitely a person here that was not an employee but certainly had touched our technical services."

While Ashley Madison may turn out to be only one of many notable insider hacks we’ve seen in the past year, the case nonetheless illustrates an ongoing problem says Matthew Green, a Johns Hopkins University cryptology expert and privacy advocate.

"This is definitely a weird case. It's the weirdest kind of website you could have and the worst kind of information you could have hacked, and it's probably a pretty atypical person who's using it. But it's still the same issues we've been discussing for a while now," Green told Newsweek.

"You have the same issue of online providers keeping too much data about people in poorly secured databases," said Green. "This difference is, this data happens to be particularly embarrassing. If someone steals my Google or Twitter information, that’s a little embarrassing, but this information can actually get someone hurt or in trouble. It's the whole privacy debate about online services, but on steroids."

Green said a hack like Ashley Madison's was inevitable.

Related: Hacking With Pictures; New Stegosploit Tool Hides Malware Inside Internet Images for Instant Drive-by Pwning

"It just accentuates the fact that we don't know how to do information security well and services are collecting way too much information," he said.

"The traditional approach to security has been like a Tootsie Pop—hard on the outside, soft on the inside," said Mark Nunnikhoven, vice president of Trend Micro, a security company. He believes the Ashley Madison hack highlights a major problem with how companies secure their data and whom they trust with access.

"It's far easier to abuse a privilege you've been granted than to find a hole in the perimeter and dump a bunch of data out. Hacks like Ashley Madison or the Sony hack highlight an ongoing challenge. For any IT operation to work...you have to take steps to isolate different tasks and different data so that you aren't giving unneeded access," Nunnikhoven said.

There will always be motives for going rogue, Nunnikhoven warns. "If you have an IT guy making $50,000 and a criminal organization offers $250,000 for the info, depending on his moral compass, he just might be willing to hand the information over."

With more and more security attacks coming from within, Nunnikhoven says that knowing who has access to your company's data has never been more important.

"If you are outsourcing IT," he says, "you need to look at the reputation of the company, but you also need to have the contract stipulate who is going to be accessing your data and what safeguards are in place, because you are trusting this other company with your IT access and with your data, and that is the lifeblood of your company."

More from IDigitalTimes.com: