For some reason people still think their data is safe with someone else…
First it was Adult Friendfinder, now Ashley Madison, hacked…
In this most recent attack, 37 Million users are waiting to see what their online profiles might look like posted online somewhere. Back in March it was 3.5 Million users, taken from Adult Friendfinder. The hacker says he did it for money, and was looking to shame government workers. In case you’re not familiar with these sites, they specialize in extramarital hook-ups.
Speaking of this week’s hack, Brian Krebs writes, “The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison…In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.”
Apparently that delete function doesn’t really work…but in the data world, you can almost never count on delete, actually deleting!
Why am I writing about Ashely Madison? There are a few important lessons here…
1. First, no site is safe from hackers – and like this hack, disgruntled employees or customers should always be considered in the long term defense planning. Many of your clients assume their employees and customers are safe. They’re not. One small problem can set off a business crippling sequence of events. Will Ashely Madison recover from this? Regardless of whether you agree with their business, the point is, it’s their data and their business – it could be any business.
2. Since no site is safe, people should be thinking hard about the data they entrust to someone else. People forget, but passwords don’t work. We should all be considering what data we put on a device that connects to a network…of course most of us have most of our lives online right now. How hard would it be to erase your bank account? It’s just data at this point. It’s also true that altering your medical data could disqualify you from a job or lead to all kinds of questions being asked. Data is an asset – the stakes are growing as we put more of it online.
3. When you move to the cloud, something most businesses are doing to one degree or another, the data is owned by someone else. Of course the cloud based provider will tell you it’s still your data, but when you say, DELETE, don’t be surprised if your data isn’t actually deleted – which brings up the $19 fee Ashley Madison charges to delete. Can you believe it? You have to pay to have your account deleted. And from what the hacker is saying, they don’t actually do the DELETE. They just collect the money. Do I hear another law suite coming?
The underlying problem here is education. Most of the companies you call on don’t understand their risk. They don’t understand where the data is, what’s protecting it, and the odds it will be compromised. I’m not speaking of IT here. I am speaking of the company leadership. IT will just go get a new job – the leadership will be stuck with the lawsuits and the mess to a clean up. In many cases they will go out of business. Only when they understand their likelihood can they make wise decisions to change their security approach. Either that, or wait until the hack happens, and then start scrambling for new strategies and technology.
© 2015, David Stelzl