Friday, 22 May 2015

Adult Friend Finder data breach, the aftermath...

Did you hear about the Adult Friend Finder data breach? Of course you did, it’s all over the news [1] [2] and it is getting major attention due to the spicy nature of the content. 
The online adult service was breached and 3.8 million accounts became public. 

The information including sexual preference, marital status and other personal data (such as, date of birth, email addresses and postal/home addresses) are now all publicly available

Well, we have seen data breaches before, but how is this data breach a little bit different??

Up to now, every article I read online about this incident treats it as yet another data breach, without paying any attention to the effects such a data breach will bring to people. Let us see the issues that come to mind, one by one in the following lines. 

>> how many accounts are actually real?
People who tend to use these services do not always provide their real details (or their primary email address). They might have been using an alias, a different email address or completely fake information. In reality, we don't really know how many real accounts have been breached

>> are you aware there is an account with your email address? 
Another issue that rises is about the accounts which are based on people who are not aware their details are being used on this website (someone impersonating them, including pictures). Imagine someone who have built an on-line profile using your pictures and information gathered from the social media you are using. Do you remember the Cupid case with the fake profiles allegations not long ago? [3]. It can really become very difficult to prove you are not the one who created the account and mostly, you might have been exposed in a situation which it might be proven quite difficult to remove yourself from. Note that business email addresses that belong to well-known domains were found among the breached accounts. 

>> how this affects the ones with real accounts and their primary email addresses being used?
Last but not least, among the accounts breached, there are going to be accounts of real people using their real details. This of course is perfectly fine, as people have the right to use this service in order to meet other people. However, as it always happens in these data breaches, the email addresses of the breached accounts have been added to the website and they can be queried by anyone. Let me point out here that if you are worrying about someone discovering that you had/have an account, this has always been discoverable through the website. The difference is that now that almost everyone is aware about the breach and the issue draws attention. As you can see in the following screen-shot, the website does tell you if your email address is in their database when you try to request a new password. ( @troyhunt pointed out on Twitter)
It’s now up to the people who are going to query the information. Imagine your other half finding out about the breach and querying the database with the emails you are being using in order to check if you have been registered to this service. As you understand, coming back from work this Friday you might have some answering to do during the weekend.

From my point of view, the people who are or have used this service are entitled to their privacy. This kind of data breach messes with people’s personal lives and it is not their fault the data were compromised. No-one seemed to care when their data were exposed due to the Adobe breach, Forbes, or the skype breach. However, such breach might stigmatise and affect people in unpredictable ways

>> the aftermath.. and a "data stored sensitivity rating" to be enforced by regulation?
However, do not misinterpret the point I am trying to make. I am not arguing if the breached accounts should be online or not. They have been breach and there is nothing you can do about it now. What I am saying is that data breaches, such this one, should be seen from a different perspective as well. Some claim that people shouldn't be using their primary email addresses on this service. Well people do use their primary email addresses, as not all of them are security experts to think so far ahead. This might be a broad and generic example, but having a driving license does not necessarily prove that you know how to react to all the different unpredictable road hazards. The real question is what can be done to protect people's privacy and personal lives from exposure, due to a third-party security breach. Maybe, we should be considering classifying the sensitivity of the data being stored on on-line services. According to the "sensitivity level", different levels of security measures/standards should be mandated and different rates of fines should be enforced, in case of a breach. For example, depending at which "stored data sensitivity rating" they belong, a new regulation could be making it mandatory to comply with the Cyber Essentials Plus Scheme and definitely consider something like the EU Data Protection Regulation in a global scale. 

In other words it is unacceptable that the business logic allows people to dig (enumerate) registered email addresses through the "Forgot Password" form on the website. Such practices demonstrate that privacy issues are not taken seriously, to say the least. On a funny side: "1980's called, they want their website security design back.."

Finally, in order to provide an example on why I believe there should be a "data stored sensitivity rating" consider that people could get blackmailed for being found to have an account at this service. Some, might be so embarrassed that their friends and family will know they were being using this service or their sexual preferences, that might stigmatise their personal lives at an unrecoverable level. This is why I do believe that such a data breach might affect people in unpredictable ways and we should look into this from a different perspective. 

Further reading about the data breach:[1]

No comments:

Post a Comment