Previously we highlighted the potential harm to individuals that could result from a data breach involving Social Security numbers. Now, let’s consider the potential collateral damage that can occur if your private data is exposed in an online membership information data breach.
On the internet, groups with specific, similar interests converge in community building activities. Several examples include groups based on religious affiliation, prior military service, individuals with specific medical issues, and those seeking support for mental health. You can even find groups that promote professional affiliations and groups that connect stay-at-home parents of young children. Online membership groups may be identified as those sites that have “members only” areas, offerings, and services in which visitors must implicitly or explicitly affirm their solidarity with the organization’s values, purposes, and subculture.
Cyberattacks Involving High Profile Membership Websites
Member websites pose a unique privacy risk in that members may prefer to be anonymous. Particularly, this is true about websites for groups that may be involved in controversial activities and knowledge sharing. The following three data breaches affirm the sensitive nature of data breaches involving membership websites, followed by a description of the consequences that may occur.
Ashley Madison (2015)
Certainly, anyone with a passing interest in cybercrime has heard of the data breach and exposure of 37 million records from Ashley Madison, the online platform promoting extra-relational affairs. In July of 2015, hacker(s) identified as the Impact Team compromised 25 gigabytes of data, including user information.
Due to the explicit purpose of the website and the oft assumed implications that a membership on that site carries, the reports often included antidotes of collateral damage done to those whose privacy was violated. Dating platforms are not the only membership-based communities on the web.
Adult Friend Finder (2016)
In October 2016, hackers compromised six databases containing customer data stemming back 20 years for Adult Friend Finder. The company, which has 60 million members around the globe, maintains a group of social networking websites that include, Penthouse.com, Cams.com, iCams.com and Stripshow.com. The following Adult Friend Finder data was compromised:
- Email addresses
- IP addresses
- Birth dates, among others
Hackers conducted a data dump across 15 different CSV files, which included more than 3.5 million records and posted it on the web. Bad actors found the data and started exploiting it, mostly in the form of SPAM campaigns. Others targeted victims with phishing and other social engineering schemes, e.g. extortion. FriendFinder Networks, Inc. issued a statement alerting the public, informing them that they were conducting a forensic investigation and engaging various agencies, including a law firm.
Membership Information Data Breach of USA Cycling
The USA Cycling breach was discovered on March 16, 2016. The data breached included personally identifiable information (PII) and, usernames and passwords of current and past USAC members. PII that may have been compromised include: mailing addresses, email addresses, dates of birth, and emergency contact details. A hacker was responsible for putting the USA Cycling member’s PII at risk. Furthermore, the organization’s cybersecurity system was outdated (a decade old) and there were no protections placed on passwords, e.g. encryption.
What makes a membership information data breach different is that the information associates you with the subculture, purpose, agenda, and belief system tied to the organization. This creates a unique set of collateral damage possibilities to which individuals may be subjected:
- Targeted Attacks, from Spear Phishing to Death Threats: Association with a religion, political view, sexual orientation, or any number of demarcations can make you a target of those who have strongly opposing views – we generally understand this. But in recent years, the FBI has started seeing a rise in pro-ISIS hacking groups that are putting their efforts into creating “kill lists” based on personal information, which may be obtained through a membership information data breach. This takes the concept of targeted attacks to a whole new level of danger – being put on a member-specific hit list.
- Potential Loss of Job: Organizations are increasingly concerned with the image projected by their employees, regardless of whether they’re on the job or on their own time. When a membership information data breach allows the public to infer that a person’s views or behaviors are ethically divergent from their company’s policies, companies may find a reason to terminate employment for cause.
- Blackmail and Extortion: When confidentiality about a group subject is desired – for example, an online support group for parents of teenage drug addicts – exposure of that information gives criminals leverage to attempt blackmail or extortion against the victims. Often such victims will be reluctant to seek legal help because of the nature of the information which the criminals are leveraging.
The data compromised in a membership information data breach is similar in many respects to the data in a PII breach, but the collateral damage that may be caused to individuals through membership association is much worse – even life-threatening. PII identifies you; membership information allows criminals to make accurate assumptions about those subjective or non-objective things about you, your values, and what “makes you tick.” Therefore, membership information has the inherent capability to be far more damaging than regular PII.
ThreatModeler Can Help to Strengthen Your Membership Website’s Security Posture
Credit monitoring isn’t really helpful when it comes to data breaches involving sensitive information, such as that hosted on membership websites. Unfortunately, once a release of information occurs, there may be no way to reclaim it. There may also be no other legal recourse for the victims. Organizations that process private, confidential data of consumers are obligated to ensure member data is protected. For this reason, it is in their best interest to provide adequate cybersecurity measures and protect data against cyber threats.
There are a number of approaches to risk management, and threat modeling is an activity that can help an organization to better understand their attack surface and defend against threats. ThreatModeler is an automated platform that can shave tens, to hundreds of hours off of the threat modeling process. ThreatModeler comes loaded with a Threat Intelligence Framework, which references – and stays up-to-date – with threats outlined by AWS, Azure, OWASP, and CAPEC.
Vulnerability intelligence is also covered by the NVD. To learn more about ThreatModeler and how it can help your organization to identify, prioritize and mitigate attack vector threats within your IT environments, contact us. You can also schedule a live demo with a threat modeling expert.