The right to complaint is, at the end, what we have after a successful cyberattack (of course, I mean success from the point of view of the hacker that carry out it).

And this what executives of Ashley Madison are doing with their press release published on 18th August, explaining that the data breach they have suffered is not a case of "hacktivism", but a criminal attack. In fact, nobody can doubt that it looks a criminal act, but the result is, spite of them, 10 GB with information of the last 8 years including clients data like telephones, adresses, transactions... including from written off clients (without considering aftermaths, true or not, that multiply this quantity).

Now they claim that there is people that knows the authors and they invite to report them. But, in the end, and independently of course of events, they have been a huge amount of cuckolds brought to the fore.

According to Krebs, who was the one that uncover the leakage, it seems that the author of the attack has been somebody that has had authorized access to the systems and information leakaged. Probably, a dsgruntled employee with credentials not suspended o something similar... uff, bad thing.

Anyway (and looking to our area of interest), if Ashley Madison had implemented and mantained practices and controls corresponding to a rating level according to the level of confidentiality needed for its business (like suspend / delete not used accounts, encrypt information highly sensible, both in transit and at rest, etc.), we could not assure that the leakeage could have been avoided, but for sure, it should have been more difficult.

Take care of where we put those things what matters most!

 

You can follow us on twitter.com/leet_security

25 de agosto de 2015