Ashley Madison hack: Toronto police report suicides after data leak

Police investigating reports of suicides possibly related to Ashley Madison data leak

Canadian police are investigating reports that two people have committed suicide as a result of the Ashley Madison website hack and subsequent data leak.

The news was announced by Toronto Police Service acting staff superintendent Bryce Evans during a media conference on the latest in the case.

“As of this morning have two unconfirmed reports of suicides associated because of the leaks of Ashley Madison customer profiles,” he said.

During the brief Evans also said that Ashley Madison is offering a $500,000 reward for information that leads to the arrests of those responsible for the website breach and data theft.

He also warned that criminals have already began using the Ashley Madison hack to launch scams against the public and urged people to be wary of this threat. 

“The public needs to be aware that by clicking on these links you are exposing your computers to malware, spyware, adware and viruses

Evans also issued a warning to the Impact Team, promising that justice would be done: “I want to make it very clear to you your actions are illegal and we will not be tolerating them. This is your wake-up call.”

He also issued a plea for help from the ‘hacking community’ to help catch the hackers, claiming that a ‘line had been crossed’ and the Impact Team had gone too far.

The updates come on after two Canadian law firms issued a joint $576m (£360m) lawsuit against the parent company of Ashley Madison after data of 37 million customers was posted online.

The firms, Strosberg LLP and Charney Lawyers and Sutts, filed national class proceedings against Toronto-based companies Avid Life Media and Avid Dating Life “on behalf of all Canadians” who subscribed to Ashley Madison and whose personal information was disclosed to the public.

The law firms said in a joint statement that they were approached by numerous former users of Ashley Madison to inquire about their privacy rights under Canadian law.

“They are outraged that AshleyMadison.com failed to protect its users’ information. In many cases, the users paid an additional fee for the website to remove all of their data, only to discover that the information was left intact and exposed,” the statement said.

“The allegations in the class action include that the privacy of many thousands of Canadians was breached in July 2015 when hackers infiltrated AshleyMadison.com and downloaded private information. The data breach includes users’ personal names, emails, home addresses and message history.”

This is not the first lawsuit filed by Canadian lawyers against Ashley Madison. A plaintiff sought over $20m in 2013 after alleging that she sustained injuries from typing “hundreds of fake profiles”.

The joint statement reveals that Impact Team, the hacking collective responsible for the data breach, is not listed in the lawsuit.

V3 contacted Avid Life Media for comment but had received no reply at the time of publication.

Impact Team has released roughly 30GB of data to the dark web, and claimed that it has 300GB of employee emails and documents from the website’s internal network including “tens of thousands of Ashley Madison user pictures” and “some Ashley Madison user chats and messages”.

Impact Team gave insights into its tactics and the vulnerable nature of Ashley Madison’s security in an interview with Motherboard.

“Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.”

Impact Team also attacked the initial reaction by Avid Life Media chief executive Noel Biderman, and denied the suggestion that the group is blackmailing Ashley Madison customers.

“They sound like politicians, cannot stop lying. They said they don’t store [credit card information]. Sure, they don’t store email either; they just log in every day to server and read. They have payment processors. The payment processors store most of the credit card number and billing address. Like how Gmail stores their email. They can log in and look up transactions,” the group said.

“Everyone is saying 37 million! Blackmail users! We didn’t blackmail users. Avid Life Media blackmailed them. But any hacking team could have. We did it to stop the next 60 million.”

The hacking collective uploaded a 19GB file last week that contained source code to the website and Biderman’s personal emails.

The release, roughly double the size of the original 9.7GB file, was in response to an interview Avid Life Media conducted with security researcher Brian Krebs in which former Ashley Madison chief technical officer Raja Bhatia claimed that the initial data dump was fake.

The release was signed by Impact Team: ‘Hey Noel, you can admit it’s real now.’

One researcher analysing the release said that the leak contained website source code, 73 GIT repositories and a 13GB compressed file marked as Biderman’s emails.

Dave Kennedy, chief executive of security firm TrustedSec, analysed the files and said they appear to be real.

“The dump appears to contain all of the CEO’s business/corporate emails, source code for all of their websites, mobile applications, and more. Note that we do not plan on performing analysis on the actual files due to the sensitivity of the dump. However, it does appear to be legitimate like the other dump,” he wrote in a blog post.

“If this turns out to be legitimate, which it in all aspects appears to be, having full source code to these websites means that other hacker groups now have the ability to find new flaws in Avid Life’s websites, and compromise them more.”

Impact Team note to ALM CEO This came after sensitive data on millions of users of Ashley Madison was leaked online in a 9.7GB data dump by Impact Team.

The data contained millions of names, home addresses, email addresses and transaction records of users that were posted online via the untraceable Tor network and to peer-to-peer torrent websites. However, the file did not appear to include full credit card numbers.

The hackers said in July that they would release the customer data into the wild if the Ashley Madison and Established Men websites were not taken down. Avid Life Media doubled down and said that it had bulked up security following the hack.

Avid Life Media said it is conducting a full investigation of the hack to find those responsible.

“This event is not an act of hacktivism, it is an act of criminality,” it said. “It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.

“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society.”

Impact Team, who took issue with a pay-to-delete function offered by Ashley Madison, refuted the claim that it is at fault.

“Ashley Madison has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit and stupidity of ALM and their members. Now everyone gets to see their data,” it said in a bulletin issued alongside the data leak.

“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”

Dr Chenxi Wang, vice president of cloud security and strategy at CipherCloud, said the real victims in the situation are the users of the website.

“Ashley Madison should have halted operations rather than betray the confidentiality of millions of customers. The hackers rightly pointed out that parent company ALM failed to protect customers, the bottom line for doing business,” she said.

“The real victim is not Ashley Madison, it is the customers and their families, who are forced to suffer humiliation and pain.”

“They could have been spared if Ashley Madison had done the tough but right thing. But maybe we should not be surprised – trust is not the strong suit for a company that makes its money by encouraging people to lie and cheat.”

A financial consequence

Following the hack in July, Ashley Madison found that it could face fines of up to £500,000 if it failed to delete user data as agreed with customers.

Mahisha Rupan, senior associate at technology and digital media law firm Kemp Little, warned that keeping customer data longer than advertised can result in fines by the Information Commissioners Office (ICO).

The ICO can enforce fines of up to £500,000 on businesses found to have breached privacy law.

“Legally, Ashley Madison has to ensure that its users’ information is protected using security measures that are in proportion to the sensitivity of the personal information being protected,” said Rupan.

“Given that the hackers accessed information about users who have stopped using the service and requested the ‘paid delete’ functionality, Ashley Madison will need to have a strong and justifiable reason as to why it still held these users’ information.

“A key cornerstone of data protection laws is that companies should not be keeping data that it no longer requires.”

An ICO spokesperson told V3 it is “liaising with their international counterparts” to learn more about what is being done in response to the Ashley Madison data breach.

“If personal data is hacked from websites and posted online, there can be a risk of identity theft,” said the ICO at the time.

impact-team-leakComplete Ashley Madison file dump from Impact Team

However, Avid Life Media initially played down reports that it had wrongly retained user data.

“Contrary to current media reports, and based on accusations posted online by a cyber criminal, the paid-delete option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity,” the firm said in a statement posted online.

“The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.”

ALM also said it managed to close the holes in its website that the hackers used: “At this time, we have been able to secure our sites and close the unauthorised access points.”

ALM now offers users of its services free profile deletion as it reacts to a hack of its site that was claimed to have affected 37 million users and said that the profile deletion service, which usually costs £15, will be now be offered for free, as it hit back at the hackers’ claims that the feature does not work.

The July hack

Despite claiming that Ashley Madison had “stringent security measures” in place before the data breach, the Impact Team hackers said they stole customer records, maps of internal company servers, employee network account information and company bank account details.

“We apologise for this unprovoked and criminal intrusion into our customers’ information. We have always had the confidentiality of our customers’ information foremost in our minds,” said ALM.

The websites Cougar Life and Established Men, both owned by ALM, were also affected by the breach.

Impact Team quickly claimed credit for the breach and initially released 40MB of data, including user account details and financial information.

“Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” warned Impact Team in a ‘manifesto’.

“We will release all customer records, profiles with all the customers’ secret sexual fantasies, nude pictures and conversations and matching credit card transactions, real names and addresses, and employee documents and emails.”

ALM confirmed that its systems had been breached and that a criminal investigation is now underway.

“The current business world has proven to be one in which no company’s online assets are safe from cyber vandalism, with ALM being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies,” the firm said.

“As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”

Following the hack ALM told V3 that it used the Digital Millennium Copyright Act (DMCA) to remove all posts relating to the incident as well as “all personally identifiable information about our users published online”.

“We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter,” the firm said.

ALM chief executive Noel Biderman said that he believes he knows the identity of the culprit, claiming it was someone who had inside access to its networks, according to security expert Brian Krebs.

“I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services,” Biderman explained.

 

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

24 August 2015 | 4:08 pm – Source: v3.co.uk

[ad_2]

Leave a Reply

Your email address will not be published.