Remember a couple weeks ago when the adultery website Ashley Madison and assorted “sibling” sites were hacked? The alleged hackers were holding the data hostage and demanding (parent company) Avid Life Media be held accountable for what the hackers claimed was the fraudulent business practice of offering website “patrons” the opportunity to pay have their data completely erased. The data has been released (including the supposedly erased data), it is now searchable thanks to websites like Have I Been Pwned, and it’s wrecking lives like, well, a proverbial home-wrecker. It doesn’t take much imagination to envision why this is happening – marriage as an institution in America has been on some fairly rough ground lately, but you don’t come to this blog for that kind of gossip…
So here’s my IT angle on the whole mess:
- Just one, simple piece of data in the wrong place at the wrong time can be a game changer. In the case of the above, finding someone’s email address in the database separate from any other context can utterly destroy trust. And this doesn’t have to be a spouse or a family member: it can be a congregant, constituent, employee, employer, customer, client, prospect, competitor, adversary or worse – a true enemy. Many have said that their accounts were created for research (I didn’t even put that in quotes), and many probably were and even have official documentation backing up that claim, but when data is released without context, the victims don’t have any control over how the data is viewed or used.
- Most agree that Avid Life Media’s IT team had more that adequate protections and data encryption in place, but like every other business, they were fighting a losing battle. As I’ve said repeatedly (as has most of the industry), the current battle against digital intrusion is a war of attrition, and the attackers have the upperhand. They only have to succeed once to win, but we, in defending our organizations, cannot stumble even once. In case you are having trouble envisioning why this is, imagine a game of soccer where you are the goalie and the hacker is the other team. It’s just you versus the entire team, and there are multiple balls in play. They only have to score once to win. You, on the other hand, can only hope to get one of the opposing team out on penalty to slow them down, but guess what? They have a rather deep bench. And there are no time outs.
- Do your employees or vendors have access to data or systems to which they shouldn’t? Some believe the hack was an inside job. Keep in mind that you have to trust someone at some point to manage your security. Though it may be difficult or even painful to examine your operations for disgruntled employees or customers, unethical or inhumane practices reap as they sow, as Avid Life Media is perhaps experiencing first hand.
- Things done on the internet can never be erased. Even if you pay someone to do so, and they make an honest attempt at it, the internet never forgets. Want to keep something secret? Keep it as far away from the internet as possible. Can’t (or won’t) do that? Count on it not being secret and at least you’ll be prepared for when it does become public. Also, there are very few levels of obscurity on the internet, in most cases, things are merely forgotten or overlooked, but they never truly disappear from view.
- Privacy and security are hard won, and increasingly so as time progresses. Expect the costs of maintaining these things to continue to rise.
With all the recent, high profile hacks it’s hard to not be a “Debbie Downer” when it comes to the current state of security and privacy – but don’t fool yourself into thinking that things aren’t as bad as they might seem. Taking a realistic view on internet privacy and security is important in achieving a balanced perspective when making decisions on what to spend (both in dollars and energy) on defending yourself and your business. It’s not the end of the world. Not nearly. But it’s rough out there, and likely to get worse before it gets better. Be prepared, be realistic: plan for the worst and hope for the best.
Hackers will go where the data resides, and there is perhaps no “juicier” website than the infamous Ashley Madison website that facilitates extra-marital relationships for nearly 40 million people. Owned by the Avid Life Media group, the Ashley Madison website is part of a family of similarly-minded websites including Couger Life and Established Men. The breach was allegedly perpetrated by a group known as the Impact Team, and according to their posted manifesto, the attack was in response to alleged corporate malfeasance on ALM’s part – not, as many might think, in response to the encouragement of cheating spouses. Impact Team alleges that the program promoted by ALM called “full delete” does not in fact do what it promises: for a fee, members can request their profiles be completely erased from ALM records. The supposed “hacktivists” are threatening to post online all the data they’ve stolen from ALM unless their demands are met: take Ashley Madison and Estalished Men offline permanently.
What this means for you:
Personally identifiable information aside, getting outed for having an account on an adultery website is really “sensitive” data, no question. Though it shouldn’t hurt your employment prospects in theory – employers can’t discriminate based upon marital status (or fidelity for that matter) because that category of information falls under protected status, it can definitely wreck a marriage, and theoretically your finances from that point on. Assuming Impact Team plans to release all the data they’ve stolen, someone will undoubtedly turn it into a searchable database, and even the most trusting of spouses would be hard tempted to not have a peek. So on top of having your identity stolen, you could also lose the love and trust of a spouse, friends and family. I’m pretty sure the latter is worse than the former.
Despite ALM’s vague promises to remove confidential data as it appears, once data is on the internet, you can never take it down. It’s clear that ALM has no plans to accede to any of Impact Team’s demands, and even if the hackers don’t make good on their threats to publish, it’s still highly likely that trove of info will get sold or stolen and consequently published and used. So what do you do if you happen to have an entry in ALM’s database? It’s too late to take advantage of their “full delete” service-if it ever worked in the first place! If you haven’t already done so, getting some form of credit watch service lined up is a good idea, and changing your passwords is a solid first step. Next, I’d recommend seeking advice from qualified professionals in the areas you’ll most likely be living through from here on out.