Ashley Madison: 150K Indian Records ExposedIndian Subscribers' Data Breached in Hacking Dump
If Indians thought that their personal details might be immune to the types of data breaches that seem to regularly hit the United States, Canada, Europe and other parts of the world, close to 150,000 of them need to rethink those assumptions. That's because the breach of online dating website Ashley Madison appears to include sensitive, personal details relating to between 100,000 to 150,000 registered customers in India.
This week, a hacker or group known as the Impact Team followed through on its July threat to leak subscriber data for Ashley Madison - tagline: "Life is short. Have an affair" - unless parent company Avid Life Media shuttered the dating site, plus two sister sites. When the company failed to do so, the hackers released a nearly 10 GB compressed file via BitTorrent containing what they describe as a selection of "all customer information databases, complete source code repositories, financial records, documentation, and emails." [See: Ashley Madison: Hackers Dump Stolen Dating Site Data]
The leaked data also includes customers' names, as well as addresses, stated sexual preferences, and some of the messages they sent to other users, via the site. Based on a review of the data, many security experts say the data dump appears to be legitimate, although they have cautioned that the website does not verify user-provided email addresses, meaning that even if an email address appears in the dump, it may not be tied to email address's actual owner.
Aside from those caveats, however, one Mumbai-based security expert - speaking on condition of anonymity - tells ISMG that of the 2,642 Excel databases of customer information leaked along with other data in the breach, based on a random sampling of 10 to 15 of those databases - dating from 2008 to June 28, 2015 - an estimated 100,000 to 150,000 records appear to tie to Indian residents.
The security expert says this estimate is approximate; some records may be repeats. But he adds that, judging by the figures in the records, India may account for tens of millions a year in business for Avid Life Media. Accordingly, this appears to make the Ashley Madison breach the first global data breach to have visibly compromised a significant number of records of Indian citizens.
The Impact Team has also released other details about many of the site's claimed 37 million members - across 46 countries - in their BitTorrent file release. The attackers first previewed the stolen data in July, and Avid Life Media confirmed at the time that it had been breached, and was investigating the data breach with the help of law enforcement agencies. [See: Pro-Adultery Dating Site Hacked]
Indian Records Exposed
Reviewing the leaked data, the Mumbai-based security expert says that the distribution of Indian users appears to be uniform, comprising approximately 50,000 users in each of the three main regions: west - Mumbai/Pune; north - Delhi/NCR/UP; and south - Bangalore/Chennai.
An analysis of the Excel data further reveals that the leaked data includes masked credit card information, transaction amounts, cardholder's name, email, date of transaction, location - including state, city and even the home/office addresses in some cases, as well as the consumer's IP address. These and other details - including forum comments that can be linked back to real-world identities - have been revealed in what is one of the largest-ever breaches to have been attributed to hacktivists.
Arguably, Indians have previously felt themselves insulated from high-profile global data breaches. Owing to the lack of breach notification laws in India, notably, awareness of Indian breaches remains poor in the public domain. The release of over 100,000 Indian records that expose potentially embarrassing and intimate details in a largely conservative country may be one of the first global breach events to be seen as directly impacting Indian citizens.
Obvious malicious uses of this information include embarrassment, extortion, and blackmail. But even as more Indian consumers start consuming online services - at rates approaching global averages - they arguably remain largely unaware of the consequences of sharing PII, the security expert warns.
From a jurisdiction and liability standpoint, it is possible that the Ashley Madison breach will lead to parent company Avid Life Media facing legal liability in India. While previous incidents in India have made it clear that Indian laws are insufficient to deal with data breaches, this episode also raises questions of jurisdiction, which is yet to be settled in such matters, says Pranesh Prakash, policy director for Bengaluru-India ,based Centre for Internet and Society, a legal and policy think tank.
"There is no single test for jurisdiction laid down by the Supreme Court," says Prakash. "The Information Technology Act does not restrict its jurisdiction to acts conducted in India, so it may legally be possible to bring a suit against Ashley Madison in India."
Since the company does not have representation or offices in India, however, serving them with a legal notice and requiring its legal representatives to appear before a public court in India might not be practical or effective, he says. In terms of the company's liability under Indian law, furthermore, the country's lack of a general privacy law also adds legal complexity, he says. [See: India's 2015 Data Privacy Agenda]
"What kind of legal duty exists is the question," Prakash says. "Under the EU's Data Protection Guidelines, the legal duties owed to 'data subjects' is clear, but not so in India, since we do not have a general law for data protection or data privacy."
Under existing Indian law, the issue would be tried based on the means by which the breach took place, he says. For instance if the hack was perpetrated by an outsider, the liability could be under section 43A of the IT Act, covering negligence, or under tort law. But if an insider was involved, laws covering breach of trust and other legal concepts not specifically covered under the IT Act, but instead covered under other laws, including the broader Indian Penal Code, would apply.
Under Indian law, the company would be liable if negligence is established under s. 43A, and the perpetrator would be liable under the IT Act and/or for criminal prosecution in all other cases. "Ashley Madison would likely get off easy under Indian law and bringing the attackers to book is not a practical option anyway," he says.