Ashley Madison admitted "large lack of security awareness" before hack, document reveals

Ashley Madison was guilty ofa "large lack of security awareness" only a month before hackers stole 37 million users' details from the dating website, according to an internal document seen byIT Pro.

The company, which provides a service for people looking to cheat on their partners, also had"a lack of review on security measures", a note in a file titled CSF (critical success factors)Questionnaire, andcompleted by 17 senior employees, admitted.

The internal survey was completed over the middle of June, just one month before Ashley Madison's defences were breached by hackers who threatened to put millions of customer records online if the company's owner, Avid Life Media (ALM), did not shut down the site.

Today the group of cyber criminals, known as Impact Team, made good on its threat and published between 30 million and 33 million records on the dark web, including people's email addresses, credit card numbers and personal details extending to sexual fantasies.

The respondents, who included the CEO and CTO, brought up security matters repeatedly - a fact that is highlighted by the footnote.

When asked in which areas he would hate to see anything go wrong, CEO Noel Biderman highlighted "data exfiltration" and "confidentiality" of customer information as key areas, adding: "An insider data breach would be very harmful. Have we done good enough a job vetting everyone, are we on top of it."

Trevor Sykes, CTO of parent company Avid Life Media (ALM), also raised similar issues, citing "protection of personal information" and security concerns arising from "bad internal actors" four separate times in his responses.

He added: "I would hate to see our systems hacked and/or the leak of personal information."

In a statement included in its first data dump, Impact Team mocked his concerns, quoting his fears before writing: "Well Trevor, welcome to your worst f*cking nightmare."

However, while director of product management Amit Jethani similarly spoke of his "fear of [a] data leak outside our walls", Impact Team made clear that director of security Mark Steele had done everything he could to bolster Ashley Madison's security, before claiming that nothing could have prevented the attack.

The data breach is likely to have far-reaching consequences for Avid Life Media, Ashley Madison and its customers, with security analyst Graham Cluley warning that exposing people as customers of the service could have devastating ramifications.

He wrote in a blog post: "It's easy to imagine that some people might be vulnerable to blackmail, if they don't want details of their membership or sexual proclivities to become public.

"Others might find the thought that their membership of the site - even if they never met anyone in real life, and never had an affair - too much to bear, and there could be genuine casualties as a result.And yes,I mean suicide."

He and others have pointed out that Ashley Madison does not verify email addresses, meaning a customer could sign up with someone else's email, and Impact Team's data dump would often only suggest that the person whose email address was used was the customer.

Executives writing in the CSF document also noted that the potential consequences of a hack would be critical issues for Avid Life Media and its brands.

For instance, Avi from 'Legal' (possibly Avi Weisman, VP and GM of ALM ), raised the spectre of a class action lawsuit as a potential concern something that Impact Team has explicitly advocated, advising victims that "it was ALM that failed you and lied to you. Prosecute them and claim damages".

DespiteKevin McCall, vice-president of operations, claiming "security has become more critical", Impact Team claimed it was easy to hack the site.

"For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never p***ed anyone off," the cybercriminal group wrote.

Claiming it has also been gathering this information over "the past few years" may imply - if true - that Impact Team has had access to ALM's network for a huge amount of time without anyone in the company's security team realising, or that it has received insider help.

IT Pro has contacted Ashley Madison for comment. An existing statement from the firm addressing the hack read: "This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.

"The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world."

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.