On July 20, members of infidelity service site Ashley Madison were horrified to hear that that site’s security was breached.
Millions of records were confirmed as stolen, and worse, were
threatened to be released. The alleged culprit of the stealth crime is
Impact Team.
A month later, Impact Team took credit for making good on its threats by dumping
the massive data haul online. Included in the data dump were member
data, including intimate details of members such as their status as
members, intimate details about their relationship and sexual interests
and lives, emails and other contact information, and credit and PayPal
records.
In response to challenges of the data’s authenticity, Impact Team began a second series
of dumps, including what appears to be essentially all corporate
records, including source code, internal business documents and
corporate emails of Avid Life Media/Ashley Madison. Virtually the
entirety of the contents of Avid Life Media’s servers was stolen and
made publicly available via Tor, in what has been called one of the
largest data breaches and thefts of all time, anywhere.
Ashley Madison IT business practices
Within those hundreds of thousands of documents is one entitled Areas
of Concern – Customer Data (abbreviated in this article, AoC). This
document was contained in the dump of corporate files, its existence
rather glaringly announced by being contained in a separate document,
apart from the millions of others. The needle in the treasure trove
haystack of corporate data, regarding Avid Life Media’s IT practices,
was in the open to be easily spotted.
In the AoC, the IT business practices of Avid/Ashley Madison began to
emerge, including its relationships with third party vendors. New Relic is mentioned as one of three third party IT vendors to Avid. Also mentioned in that document as vendors are OnX (publicly reported as being an Ashley Madison vendor) and Redis/Memcached (alternative open source caching tools).
It’s important to remember that the accuracy of the contents of all
of the dumped files requires circumspection; it is unknown whether
Impact Team modified any documents before uploading. The documents have,
however, been verified as to being authentic copies of those contained in the dump.
New Relic as IT Vendor, Among Others
The AoC identifies New Relic as being a customer data “concern”
(worry), by mentioning that it could employ “a hacker/bad actor” who
could gain access to customer data. There was nothing in the AoC to
indicate any reason to call out New Relic as a third party vendor
presenting particular customer data security risks. Avid/Ashley Madison
most likely have other IT vendors, possibly including the others named,
that could present such a risk. With the volumes of documents revealed
in the data dump, the potential for and actual access to customer data
by all third party vendors will likely be revealed as the data is mined.
Statement by New Relic
I contacted New Relic yesterday morning by Twitter to request an
interview in connection with the Avid/AM data breach/leak. In the
statement New Relic emailed to me that afternoon in response to my
request, Andrew Schmitt, vice president of communications and PR for New Relic stated,
“New Relic is aware of reports in the media that we are mentioned in
an Avid Life Media internal document. We have no reason to believe that
we were involved in any way with this breach, nor have we been contacted
by Avid Life Media or third party security firms with regard to this
issue.”
In the context of a security breach of this magnitude, it seems
unfathomable that Avid/AM would not have at least sent vendors a notice
that they might be getting inquiries about the breach/dump and what
participation might be (or not be) required by the vendor in the context
of the breach and its mitigation.
Remarkable for its apparent absence, too, is any notice from security
companies and more recently, lawyers. Notice might be even more
justifiably expected by a vendor that was called out by name in IT risk
documentation (the AoC) as being a particularly specific data access
risk, as was New Relic. Is it possible that Avid/Ashley Madison has not
notified any vendors of the breach? Given its remarkable paucity of
communication with its members, the lack of vendor notification would
not seem extremely surprising.
New Relic is a publicly-traded application performance
software-as-service (Saas) company listed on the New York Stock Exchange
under NEWR. New Relic will soon celebrate one year of public trading,
having listed on December 12, 2014. In the investor relations pages of
its website, New Relic indicates that it is a “provider of enterprise
software for software analytics.”
Founded in 2008 by Lew Cirne, who now serves as CEO, New Relic’s
original mission was “to provide an advanced application performance
management (APM) solution to businesses of any size through a
software-as-a-service offering.”
New Relic’s site indicates that it has since “expanded its software
analytics offering to make sense of billions of data points about
millions of applications in real time.” The company states that is has
250,000 users and manages 690 billion data points per day.
New Relic is thus, at least in part, a Big Data analytics company, deploying big data analytical software as a service.
New Relic also includes New Relic mobile, “which provides code-level
visibility into the performance and health of mobile applications
running on the iOS and Android mobile operating systems”.
In May 2015, Forbes
wrote about New Relic’s container and microservices business, stating,
“New Relic has long been seen as one of the enabling vendors for the
future of enterprise IT.”
New Relic self-reportedly works with
Memcached in providing support for the latter’s backend system. Redis
is also mentioned as being compatible with New Relic’s trending/monitoring statistical plugin, MeetMe.
Liabilities for the IT breach
The existence of third party IT vendors may be of interest to the
increasing numbers of plaintiffs suing Avid and Ashley Madison. These
plaintiffs have, to date, apparently not named these vendors as
defendants. The filings in these cases will be more closely reviewed for
mention of vendors, and an update to this report filed.
(Forbes)
Have your say in the post comments section below
No comments:
Post a Comment