On August 18th, a group of hackers known as the Impact Team released a massive database containing data on Ashley Madison’s 33 million users.
According to most Information Security Experts, the data contained in the hack is real.
On August 20th, the Impact Team released a second wave of data this time focused on confidential corporate information about Ashley Madison, from presentations and contracts to the CEO’s emails.
While many are rejoicing about the fact that a website promoting infidelity is being taken down along with many of its users, there are serious business issues that need to be addressed. We know that at least 36% of Canadian businesses have been hit by Cyber-Security attacks. Information Security is not solely a technology issue; it is mainly a business issue!
The first business issue; how did the hackers obtain this data? The initial indicators seem to show that this was an internal security breach within Ashley Madison or its parent company, Avid Life Media. This is not a surprise to many in the Cyber Security World. Forrester Research in 2013 reported that insider threats are the leading cause of data breaches. The report states, “it's also important, however, that the enterprise has some amount of visibility to what's happening on its networks, given that 25 percent of respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year.”
Ashley Madison itself admits to these internal issues after an internal employee survey showed that there was concern about security.
What processes did they have in place internally to prevent employees from not only viewing data but being able to access and download over 33 million user profiles? To put this in perspective, Canada’s population is approximately 35 million people! While no technology is perfect, there are business processes that every company must put in place to protect employee and customer information.
No one person should have access to all elements within a data network. For instance, an employee in finance who handles reporting will have access to particular data. That employee may have the rights to edit and view contents but is blocked from downloading; whereas the Chief Financial Officer for the company would have full access to that same dataset. If anyone tried to go outside of their role, not only would they be blocked – but a notification would also be triggered.
In the case of Ashley Madison and many other firms, not having a true internal security strategy can leave you vulnerable to malicious acts by disgruntled employees.
This is not an easy task for any organization. Internal security processes can be extremely complex. If your company is holding significant amounts of customer, supplier and employee data, invest in an Internal Security Assessment.
The second issue surrounds the “Full Delete” option that Ashley Madison offered its users. This option would permanently erase any record of a user’s presence on the site. Ashley Madison charged $20 for this feature. Based on the initial scrub of the data by security analysts, many clients who did pay for this service still had their data on Ashley Madison’s services. From a business point of view – this is a breach of customer trust and may well lead to a series of lawsuits being filed against Ashley Madison. Why did they accept money for a service that they did not render? This is a lesson for any company of any size. If you are going to make a promise to a customer and charge them for it, you better deliver! Being attacked on social media can be brutal for your business, but nothing compares to a cyber-attack!
The final issue is more of a question, WHO’S NEXT?
There is a misconception that all hackers are a bunch of nerds. There are many hackers who also aim to drive social change, also known has Hacktivism. For instance, Anonymous was a voice for many who were fed up with police brutality last year in Ferguson, Missouri. There are also ethical hackers who assist businesses and governments in their cyber-security efforts.
The major concern should be about the next cause that well informed hackers will pursue. We have already seen major data breaches at Target, IRS, and potentially within Walmart photo centres.
The areas of our lives that are most private involve our family, relationships, health and finances. The Ashley Madison hack is receiving lots of attention because of the nature of their website. But what if hackers were able to obtain sensitive health data? The confidentiality of an individual’s health could lead to serious implications. For example, if an employee who is 53 suffers from high blood pressure and requires medication had their records leaked – an employer could decide the costs of medical benefits would make the employee a financial burden and terminate them. This is why all data breaches matter.
We all need to take steps to manage our personal security, whether it is on social media networks or on your own internet enabled device. However, service providers (whether you agree with their business model or not) have the responsibility to ensure that they are taking the issue of privacy, security and confidentiality seriously. Talking about security and privacy is one thing. Delivering on it is another!