John McAfee points to lone woman as Ashley Madison attacker while company offers reward
Online rumblings began pointing to a lone female as the perpetrator of the Ashley Madison data breach while class-action lawsuits were filed and reward offered.
The data breach at Ashley Madison looks as if it could be the work of an insider, according to controversial new claims by security pro John McAfee.
In a column published Monday morning on the International Business Times website, McAfee contended that the alleged hackers behind the data breach, the “Impact Team,” is likely a lone woman who previously worked at Toronto-based Avid Life Media.
Pointing to research he conducted on the dark web with “reliable sources,” and his analysis of the data, McAfee wrote that he can “confidently claim that the single person is a woman, and has recently worked within Avid Life Media.” He went on to say 40GB of data is “more than sufficient” to point to an inside job, and the language used in the perpetrators' manifestos provide “emotionally charged words,” which McAfee said indicated a woman's involvement.
“Strange” files, such as the Ashley Madison office layout, raw source code for every Ashley Madison program ever written, and IP addresses and the current status of every server owned by Avid Life, also made McAfee think an insider could be to blame.
“These are just a few of the many strangely included files that would take even a top-notch hacker years to gather, and seem to have little or no value,” McAfee wrote. “Any reasonable cybersecurity expert would come to the conclusion that only someone on the inside, who could easily gain all of the files through deception and guile, could have done the job.”
To support his claims that a woman conducted the theft, McAfee focused on the perpetrator's mentioning of a member who “spitefully” joined Ashley Madison the day after Valentine's Day.
McAfee contended in the opinion piece that “women rate Valentine's Day higher than Christmas, and men think so little of it that they have to remind each other the day is nearing.” He also said, “to call an act the day after Valentine's Day ‘spiteful,' is a thought that would enter few men's minds.”
Addressing skeptics, McAfee wrote, “If this does not convince you, then you need to get out of the house more often.”
Seemingly unswayed, security professionals took to Twitter to break down McAfee's argument and point out perceived flaws, as well as sexist language. One man, Frank Endrullat, a technical support engineer at FireEye, according to his LinkedIn profile, tweeted that typical default data breach attribution often goes to the Chinese and North Koreans. To that, Eric Rand, a researcher at Brown Hat Security, replied: "'Insider Threat' is pretty useful at times, if you want to start a witch hunt."
Others used McAfee's controversy-laden past as evidence enough not to follow his argument and to make a joke of his column. McAfee was arrested for driving and being in possession of a handgun while under the influence earlier this month. He was also named a "person of interest" by Belize authorities in a 2012 case.
While the debate and investigation into the Ashley Madison data breach perpetrator continues, Avid Life put out a reward of up to $500,000, in Canadian dollars, for anyone who provides information leading to the arrest of the hacker(s) who stole the data.
In the midst of its efforts to do damage control, Avid Life also was hit with a $578 million class-action lawsuit filed by two Canadian law firms over the weekend, although the courts have yet to certify the cases.
An insider job won't help the company avoid class-action lawsuits, in the U.S. at least, John P. Hutchins, shareholder and leader of LeClairRyan's Privacy & Data Security practice team, said in an interview with SCMagazine.com.
For a class-action suit to work, he said, the company's conduct that caused the breach “must give rise to a claim, such as negligence or a breach of contract, and then,” he said, that claim must “support an action for damages because you've suffered some sort of harm.”
In the case of an insider, a negligence case could be argued in that the company didn't revoke permissions, for instance.
“The simple fact that the person was an insider versus somebody who wasn't an insider doesn't have that much impact on whether this data breach will be successful in litigation against some other data breach,” Hutchins said.
UPDATE: This story was updated to clarify currencies; Avid Life Media is offering its reward in Canadian dollars.