Hackers publish another 13GB of Ashley Madison data

                                   

The Impact Team hacking group targeting cheating site Ashley Madison has released a second set of sensitive data including emails of the CEO of the parent company Avid Life Media (ALM).

On the 19 August 2015, the group carried out its threat to publish user records if ALM did not take down Ashley Madison and dating site Established Men, first publishing 9.7GB and now13GB of data.

The hackers issued the threat in July 2015 when they claimed to have compromised ALM’s user databases, source code repositories, financial records and email system.

The Impact Team has encouraged ALM’s customers, including one million in the UK, to sue the company for failing to keep their data safe.

The group has also accused ALM of lying about its service that claimed to delete members’ profile information for a $19 fee. “Full Delete netted ALM $1.7m in revenue in 2014. It’s also a complete lie,” the hacking group said.

The first set of data included personal details and financial transaction histories for around 32 million Ashley Madison members, including UK civil servants, US officials, members of the US armed forces and top executives at European and North American corporations.

The latest set of data was also posted to the dark web using an Onion address accessible only through the Tor browser and includes source code from the website, internal emails and a note to the company’s founder Noel Biderman.

In response to ALM’s statement that the first set of data may not be authentic, the hackers accompanied the second set of data with a note saying: “Hey Noel, you can admit it’s real now.”

One file appears to contain nearly 14GB of data from the Biderman’s email account, but the file is zipped and appears to be damaged, reports the BBC.

Tim Erlin, director of IT security and risk strategy at Tripwire, said that while the target of the attack and breach may be Ashley Madison, there is significant collateral damage with the release of so much personal information.

“The collection of so much data isn’t a simple task. This attack was targeted and persistent,” he said.

Ken Westin, senior security analyst at Tripwire, said the breach and resulting data dump was a personal attack with the goal of retribution.

“The goal was to expose and shame ALM and try to push the company to shut down two of their most profitable properties. The exposure of the users and the site was collateral damage,” he said.

According to Westin, the additional release of information regarding the company and emails reveals just how deeply the breach was.

“This is reminiscent of the Sony breach, which was also personal and the goal was to embarrass and shame the company and executives,” he said.

Other security commentators have noted the exposure of the Ashley Madison’s source code could make the website vulnerable to attackers for as long as it remains operational.

ICO orders Google to remove links to right to be forgotten takedowns

                             

The Information Commissioner’s Office (ICO) has ordered Google to remove nine search results linking to news stories about the removal of information under the "right to be forgotten" ruling.

The ruling by the European Court of Justice states that, under European law, search engines are data controllers and must consider all requests to stop returning outdated information in search queries.

The UK privacy watchdog ordered the takedowns after it ruled that they linked to information about a person that was no longer relevant.

The ICO ruling concerns nine links that are part of the list of results displayed when a search is made by entering the individual’s name.

The links are to web pages that include details of a minor criminal offence committed by the individual almost ten years ago.

Google had previously removed links relating to the criminal offence following a request from the individual.

But the removal of those links then itself became a news story and links to these later news stories, which repeated details of the original criminal offence, were then part of the results displayed when searching for the complainant’s name on Google.

That phenomenon became known as the Streisand Effect after actress Barbra Streisand, who – in suing for the removal of aerial images of her California home from the internet – unwittingly spurred internet users to find it.

Journalistic interests

Google had refused the complainant’s request for these later links to be removed from search results, arguing that these links were to articles that concerned one of its decisions to delist a search result and that the articles were an essential part of a recent news story relating to a matter of significant public importance.

The ICO said its ruling recognised journalistic content relating to decisions to delist search results may be newsworthy and in the public interest. But the ruling confirms that this does not justify including links to that content when a Google search is made by entering the affected individual’s name, as this has an “unwarranted and negative impact on the individual’s privacy” and is a breach of the Data Protection Act.

Deputy commissioner David Smith said the European court ruling in May 2014 was clear that links prompted by searching on an individual’s name are subject to data protection rules.

“That means they shouldn’t include personal information that is no longer relevant,” he said

Takedown requests were reportedly submitted within a day of the European court ruling, forcing Google to scramble to introduce an online application form for Europeans who wanted personal data to be removed from online search results.

Smith said it is wrong of Google to refuse to remove newer links that reveal the same details and have the same negative impact as the previously removed links.

“Let’s be clear. We understand that links being removed as a result of this court ruling is something that newspapers want to write about. And we understand that people need to be able to find these stories through search engines like Google. But that does not need them to be revealed when searching on the original complainant’s name,” he said.

The ICO has issued an enforcement notice requiring the links to be removed from the search results in 35 days.

Google has not responded to requests for comments on the ICO’s enforcement notice, according to the Guardian.

While the ICO’s enforcement order applies only in the UK, Wall Street Journal blogger Sam Schechner said it could provide an example for other countries, potentially provoking a new wave of takedown requests of stories about takedown requests – and a subsequent wave of stories about those new requests.

“That will also give ammunition to free speech advocates and privacy activists in their tussle over where to draw the line between privacy and the public’s right to know–and whether Google should be notifying websites of removals under the right to be forgotten,” he wrote.

HP business units decline as company readies split

                             

All areas of Hewlett-Packard’s (HP’s) business, apart from its enterprise group, declined in their third quarter (Q3) 2015 results, the company stated.

Personal systems revenue was down 13% year-over-year; printing revenue was down 9% year-over-year; Enterprise services revenue was down 11% year-over-year and software revenue was down 6%.

Its Enterprise Group increased revenue by 2% year over year thanks in part to 22% growth in its networking business and 8% growth of industry standard (PC) servers. However, other parts of the group declined: storage revenue was down 2%; business Critical Systems revenue was down 21% and technology services revenue was down 9% compared with the same period the year before.

Overall, the company reported gross margin of 23.8%, down 0.2 points year-over-year and 0.2 points sequentially.

In a transcript of the earning calls for the Q3 2015 results posted on the Seeking Alpha financial blogging site, CEO Meg Whitman said the company had taken a major step forward in preparation for splitting. 

“We successfully split the operations and IT systems for the company. This separation required working directly with more than 3,500 customers and partners to prepare for the cut-over. We successfully separated nearly 750 systems affecting 95% of our business with no issues,” she said.

“After shutting down for just three days to transition, critical operational systems across our business segments are live globally.”

HP has also announced the executive team for HP Enterprise and HP Inc. Hewlett Packard Enterprise will be led by current HP chief executive officer Meg Whitman. HP Inc. will be led by Dion Weisler, who currently runs the printing and personal systems group at HP.

When asked about the decline in technology services revenue, Whitman said: “When Antonio Neri ran technology services, he did a remarkable job in creating products, such as proactive care and datacentre care, that are filling the vacuum left by Itanium and a downward decline in Enterprise Group hardware revenues. 

“Technology services has not only great financial characteristics, virtually every customer needs to attach technology services so they have the ability to service their hardware in their datacentre in real time with the biggest footprint of services individuals around the world.”