If anyone had an incentive to keep its users’ data secret, it was the website for cheaters, Ashley Madison. With the slogan “life is short, have an affair,” discretion was the company’s whole sales pitch. Indeed, even after hackers posted stolen data about 32 million users to the internet on Tuesday, the Ashley Madison website looks like this, promoting its security and discretion:
Worried about getting hacked? Treat your IT workers well.
AshleyMadison.com
So why wasn’t Ashley Madison able to protect its users’ data? A month after the hack was made public, we still don’t know how the hackers got in. But one hint comes from the announcement they posted alongside a sample of stolen data last month.
“Our one apology is to Mark Steele (Director of Security),” the hackers wrote. “You did everything you could, but nothing you could have done could have stopped this.”
We don’t know for sure, but this suggests that the hack could have been carried out by a trusted insider — someone who had privileged access to Ashley Madison’s systems and worked closely with the company’s staff.
Hardening a network against insiders is really, really difficult, because insiders generally need privileged access to do their jobs. Someone needs to set up servers, configure them, and modify them when they break. It’s difficult to give those people the access they need to perform these tasks without also giving them access to user data.
And even if a company’s managers believe they have set up a system so that the IT staff can’t get user data, they have no way to know for sure — because the IT staffers themselves are the ones who actually built the system. If one of them inserted back doors into the system, management is unlikely to ever find out.
The largest technology companies — firms like Microsoft and Yahoo that provide online services to tens of millions of people — have developed more sophisticated ways to deal with this, involving multiple levels of access, careful monitoring of employee viewing of user data, and code audits to close security holes. Even at these companies, there are probably some people who understand the system better than anyone and could compromise these security precautions if they really wanted to.
For the vast majority of companies, there’s probably nothing they can do to fully protect themselves from insiders. The best they can do is limit the number of people with access to the company’s servers and make sure those who do have access are treated well.
It also helps if employees believe in the company’s mission. Insider leaks are rare because most people like the companies they work for and wouldn’t want to cause them harm. But it’s not hard to see why a website dedicated to helping people cheat on their spouses would have more trouble than most cultivating their employees’ loyalty.
