Are other Canadian tech companies vulnerable to an Ashley Madison-like breach?

Preventive measures could help other tech companies ward off hackers, experts say 


Experts say a massive data breach at Canada-based online dating website Ashley Madison, which facilitates extramarital affairs, has the potential to kill its brand | Shutterstock

Security breaches are similar to colds, according to Dominic Vogel.

You can’t go through life without ever getting sick, but there are basic measures you can take to make sure it doesn’t become the end of you.

The massive data breach at Toronto-based online dating service Ashley Madison, however, appears more akin to the bubonic plague.

In late August hackers released names, credit card numbers and addresses of millions of clients who signed up for the service facilitating extramarital affairs. At least two suicides have been linked to the breach, according to the Toronto Police Service.

“The security that [Ashley Madison] said they had in place wasn’t there,” said Vogel, a cyber-security consultant for Langley-based First West Credit Union. “That brand, I think, is going to be effectively killed because of how that trust [was] just really obliterated.”

Based on the sheer amount of data released, Vogel said it’s likely either a current or former employee was involved with the breach.

Anthony Volpe, chief marketing officer of dating website AmoLatina, noted Ashley Madison has been slow to reveal details of the breach and it’s still unclear exactly how the hack occurred.

“I’m not sure if any system … if there’s an inside job, could be helped,” Volpe said, adding he still thinks it’s possible for a company to survive a breach of this magnitude depending on how it handles the fallout.

Since the breach, Ashley Madison has said site visits have gone up. However, a class-action lawsuit has already been filed against the service’s owner, Avid Life Media, which claimed users could pay US$19 for a “full delete” service of their info. The hack revealed the fee deleted only some information.

“Their brand, as one of their cornerstones, says that it’s anonymous,” Volpe said.

The breach has sent consumers and companies scrambling to ensure sensitive information is kept secure, while many in the industry have been left wondering how such a massive breach could occur.

The hackers behind the attack, The Impact Team, claimed the website had virtually no security measures and said that was one of the reasons it was targeted.

Peter Nguyen, technical services director at the LightCyber security firm, said such a massive breach could have occurred either through vulnerabilities within its security system or, ultimately, through a lax corporate culture.

“The frightening truth is that most companies lack any effective ability to spot an active breach,” he said. “The industry average for an attacker to go unnoticed is six months. That’s a pathetic statistic – it gives plenty of time for an attacker to complete a successful breach.”

Nick Espinosa, chief information officer at BSSi2 IT consultancy, said high-profile websites are especially vulnerable to these types of attacks.

“Any company, but especially those with a public-facing website that requires users to interact with it, should be doing quarterly reviews of their security,” he said, adding that such reviews should include verifying the encryption system is updated, confirming servers hosting the database are secure and verifying firewall firmware is up to date.

“Every six months to a year an ethical hack attempt should be made to break into the site so security can be continuously assessed.”

Vancouver-based online dating service PlentyOfFish declined an interview request to discuss the measures it takes to protect clients, but Vogel said many of the same lessons apply.

“A company like PlentyOfFish, the same with the Ashley Madison, you need to have an empowered security professional who’s able to drive those business initiatives and make those risks known to the board and to the executives,” he said.

torton@biv.com

@reporton