It seems that barely a month goes by these days without stories in the media of another high-profile data leak. Data breaches in past years at Target, Sony, and Home Depot have been joined by the recent leak involving online dating service, Ashley Madison. With these breaches seemingly becoming more and more common, is there anything businesses can learn from them? Lets take a look at the Ashley Madison data breach case in particular and what companies might do to limit the chances of similar things happening to them.
What happened with the Ashley Madison data breach?
Ashley Madison is an online dating website primarily aimed at people looking to have extramarital affairs. On July 15, 2015, a group of hackers calling themselves The Impact Team announced they had successfully hacked Ashley Madison’s database and threatened to release the identities of its users if the Ashley Madison website was not immediately shut down. Around a month later on August 18th, with the website remaining operational, the hackers released around 60 gigabytes of data revealing names, addresses, phone numbers, as well as a host of other Personally Identifiable Information (PII) of the website’s current and past users.
At least one cyber security expert noted that Ashley Madison deserves at least some credit when compared with other high-profile hacking targets for some of the security features that it had in place. The website’s security team had ensured tokenized credit card transactions were used so no full credit card numbers were stored on the site. While perhaps of little consolation to the site’s users, this meant that unlike data breaches at Target and Home Depot, the financial well being of hacking victims were not under threat. Users’ passwords were also hashed with bycrypt and email addresses and passwords were kept in separate tables While clearly a cause of great embarrassment for users whose identities were revealed, the breach could have certainly been much worse.
Perhaps the most illuminating point of the Ashley Madison case from a cyber security point of view, is that the website specifically offered a service to its users to scrub their personal information from its database. For a fee, users deciding to leave the online dating site could purportedly have any history of their ever having been enrolled in the service removed. The hack revealed, however, that users who had requested this service still had their PII remaining in the site’s database. This has potentially serious ramifications for consumer confidence in deleting accounts from any online service.
What lessons can businesses learn from this?
If it wasn't already clear, the Ashley Madison data breach should highlight the already well-supported notion that no company is 100% safe from data breaches. If even a site built on the premise of secrecy and selling the discretionary nature of its service can be successfully infiltrated by hackers, then so can any business. Over the coming months, it's expected that many civil suits will be launched against Ashley Madison by its outed users who will argue the site didn't do enough to protect their information. Though, in this particular instance, it's not yet clear what the mode of attack or cause of the data leak was, business owners should view Ashley Madison as yet another cautionary tale of the liability and loss of reputation for a company that comes with a hack. While, at this point, it's apparent hackers can force their way into pretty much any system they are motivated to, businesses should take steps to ensure they are doing all they can to minimize practices and errors as well as the lax cyber security elements that can open the door for data leakage.
How businesses can protect themselves
Since the collecting and retaining of customer data by businesses has become standard practice, businesses need to ensure they have the appropriate measures and practices in place to keep this data safe. This goes beyond working with an IT company to install firewalls on a system, but rather extends to providing awareness and training for employees. The human element is an often overlooked aspect of cyber security. IT consulting can only go so far though, in fact, a significant percentage of data leakage can be traced back to some misguided action or inaction by a person. After all, businesses can have the most sophisticated security technology in the world, only for one person to make a simple mistake leaving an entire network vulnerable. Businesses should also hold ongoing education for their employees to avoid accidental disclosure, malware, and physical loss of assets that might lead to data leakage.
For businesses in industries where there are specific compliance standards regarding data security-- prime examples being the healthcare and financial industries-- these compliance regulations should be considered a baseline for security. By going above and beyond these standards, a business can not only minimize the chance for security breach but also establish a key differentiator for itself among its competitors.
The Ashley Madison data breach serves as another wake-up call for business of all sizes and industries. While no company is entirely immune, improvements to IT systems and employee behavior through ongoing training can have a significant effect in minimizing the risk of being hacked.
Do you have any thoughts on the Ashley Madison data breach or any other recent high-profile hacking? Or have any ideas on how businesses can improve their cybersecurity practices? Let us know in the comments below.
If you would like to learn more about fixed price plans or have any other questions about IT as part of a comprehensive IT support strategy, don’t hesitate to contact us today to speak with an IT expert.