Leaked data can t be linked to specific members: Ashley Madison
|CTVnews 20 Aug 2015 at 14:31|
TORONTO -- Personal information about Ashley Madison clients exposed in a massive data breach this week doesn t prove their infidelity, the adultery website said Thursday as it took pains to reassure nervous members and suspicious spouses.
The company investigating the breach for Ashley Madison confirmed the website doesn t verify email addresses used to sign up for the service, nor does it collect phone numbers or store full credit-card numbers.
"This means that anyone could have used any email address to sign up for an account," Joel Eriksson, the chief technology officer for Toronto cyber-security company Cycura, said in an email.
"So a list of email addresses is not proof of anyone s membership."
He added that Avid Life Media, Ashley Madison s parent company, doesn t check the authenticity of email addresses, precisely to ensure no account can be conclusively linked with a specific person.
"By not having email verification, users have plausible deniability with regards to their membership status," he said.
"Note that verification of email addresses are mostly relevant to sites that harvest personal information as a part of their business model, and want to tie each user to an identity. In this case, that would not be in the best interest of either the users nor (Avid Life Media)."
People can speculate based on the data leak, Eriksson added, but there s no smoking gun.
Scouring the data for familiar names or email addresses among the site s more than 35 million registered members has become a popular pastime for worried spouses and curious Internet users worldwide.
There are hundreds of email addresses in the data release that appear to be connected to federal, provincial and municipal workers across Canada, as well as to the RCMP and the military.
Cycura is investigating the breach along with the FBI, RCMP, OPP and Toronto Police Services.
Eriksson says the source code used by Avid Life Media is being audited for "vulnerabilities and backdoors" though it doesn t appear that any software vulnerability was exploited in the breach.
Ontario government technology experts are also looking into the leak after dozens of provincial email addresses were linked to Ashley Madison account-holders. Provincial officials say if any civil servants used their work emails to set up their Ashley Madison accounts, that would be considered a misuse of government IT resources.
Attorney General Madeleine Meilleur s office says "information and technology officials are looking into whether any misuse has occurred."
Lawmakers abroad have denied signing up for the site after email addresses linked to them appeared on the list.
Scottish lawmaker Michelle Thomson said an obsolete email address had been "harvested by hackers" and used to register an account with the site. A similar explanation was offered by Talab Abu Arar, a Bedouin Arab lawmaker in Israel whose parliamentary email address was found amid the dump.