Ashley Madison Hack Claims First Victims

wired_parrot writes: Toronto police are reporting that 2 unconfirmed suicides have been linked to the data breach. This follows pleas from other users of the site for the hackers to not release the data before it was exposed- an anonymous gay Reddit user from Saudi Arabia, where homosexuality is illegal, pleaded for the data to be kept private: "I am about to be killed, tortured, or exiled," he wrote. "And I did nothing." And when The Intercept published a piece condemning the puritanical glee over the data dump, one user who commented on the article said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life. Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there. Ashley Madison has now offered a $380,000 reward for information that leads to the arrest and conviction of the hackers who leaked the data. Security researcher Troy Hunt has also posted about the kind of emails he's received from users after the data leak.

Re:Very sad - but let's get legislation in place N

[TechyImmigrant]

If you store other peoples' shit in your home for money, damn right you are responsible for its security. Nobody cares if your own stuff gets stolen.

My wife has a yarn store and import/distribution business for fancy schmancy yarns. We have customer data, not by choice, customers demand it for their convenience. I happen to be a security/crypto type engineer. So we worked out what the plan was based on the notion that a yarn store is helpless in the face of electronic warfare.

1) Outsource anything touching PCI-DSS. The payment card machine doesn't attach to the computer. The online payments are through a service that handles the card data on their servers while appearing to be on our web site and PCI-DSS compliance is part of their service. PCI-DSS sucks (I've read the specs - It's not pretty). But it's what we have. So pay someone else to hold the responsibility who on the surface may be better positioned that a yarn store to handle such data.

2) Don't keep customer credit card data on a computer. Use other means.

In general, there's nothing anyone can do who isn't deeply involved in computer security and cryptography, which on average is everyone. Those few who are involved in the intersection of retail and computer security are disempowered by the payment card companies who dictate terms, avoid liability and push absolutely useless security standards on the rest of us.