Ashley Madison HackTECH
Lessons from the Ashley Madison Hack
Before the summer of 2015, most people were at least vaguely aware of the Ashley Madison company through its perennial attempts to buy television commercial time during the Super Bowl. For several consecutive years, the company produced a television spot for its “have an affair” site for married people,only to have that spot rejected. The company then rode a wave of publicity from the rejection that likely gave it greater exposure than it would have received from actually airing the commercial during the big game.
Ashley Madison received significantly more negative publicity when a hacker group that calls itself the Impact Team breached the company’s cyber defenses in 2015, compromising the personal records of its more than 37 million users. The hackers ostensibly objected to Ashley Madison’s practice of charging users to delete their profile data while retaining their payment information. The users whose information was compromised became the target of credit card and other financial scams. An unknown number of marriages are also believed to have dissolved when the user information became public, and a few Ashley Madison users reportedly committed suicide.
Lessons From The Hack:
Apart from the personal toll on users and the damage to Ashley Madison’s brand and finances that resulted from the 2015 hack, the event raised awareness among companies of the ever-present need to enhance their internal security to protect customer data from cyber attacks. These cybersecurity recommendations might be viewed as a cybersecurity update to Sun Tzu’s Art of War:
- Know your enemy. Acknowledge that some person or group will be offended by something that your organization does. Identify those persons or groups and assess the likelihood that they will launch a cyber attack against your digital systems.
- Secure your data.Critics that reviewed Ashley Madison’s systems noted the weakness of the company’s security precautions. For example, the company failed to confirm email accuracy and had few internal protections for its users’ personal information. A company that does not have the expertise to assess its own security measures can retain third-party consultants to perform penetration and other tests to verify the strength of its cyber defenses.
- Confirm that deleted data has been fully erased. The FBI recovered many emails that had supposedly been deleted from Hillary Clinton’s accounts. Likewise, much of the information that Ashley Madison had purportedly deleted was recoverable. Complete data destruction may require the services of a company that specializes in data deletion, but a pretty good job can be done with the Shredder feature of Clean My PC.
- Monitor employees. Many cyber attacks originate outside of a company’s walls, but a large number also begin with disgruntled employees who have internal access to information. Regardless of whether he will be seen as a patriot or a traitor, Edward Snowden is a prime example of this risk.
- Install advanced cyber defense systems. Organizations can install software or subscribe to services that monitor incoming traffic to detect potential security breaches. Companies like Symantec offer a suite of solutions and services that can be tailored to address an organization’s specific data environment and challenges.
Ashley Madison’s total losses as a result of the 2015 security breach will not be known for many years. The company is currently defending a $576 million class action lawsuit, is the subject of a Federal Trade Commission investigation, lost untold millions of dollars in market value, and it lost all credibility that would have supported a public offering of its stock. These circumstances and the very real threat of cybersecurity breaches should convince every business to devote more attention and resources to cyber defenses, regardless of the nature of their underlying business.