Major corporate hacks have been happening a lot, and in each year, there are a few incidents that stand out among the rest. In 2014, Target and JP Morgan Chase were the most prominent businesses to find themselves in hot water after their respective security breaches. In 2015, Ashley Madison looks like it’s in the running to be the biggest scandal of the year post data leakage.
Unlike Target and JP Morgan Chase, Ashley Madison is not a Fortune 500 company, so its size is not the main reason for the attention it garners. But what it lacks in size, it makes up for controversy. Ashley Madison is an online dating service specifically made for people who are married or in committed relationships. Its main drive is to encourage people to cheat on their significant others by starting an affair.
On July 15, 2015, an anonymous group of hackers calling themselves the “Impact Team” claimed that they managed to break into Ashley Madison and steal personal information of around 2,500 members. They threatened to release it to the public if the site wasn’t shut down immediately. In response to the threat, Ashley Madison confirmed the hack, announced that they strengthened security, waived charges for account deletion, and carried on with business as usual. Then, on Aug. 18, 2015, the Impact Team followed through on their threat and posted a 9.7 GB data dump on the dark web. Names, email addresses, phone numbers, and credit card number fragments are contained in this data dump, which can be accessed only through a Tor browser. But as of this writing, at least three websites have released the information to the general web for everyone to see.
Ashley Madison has yet to confirm the authenticity of the data, but security experts analyzed it and concluded that it is real. This means that in the following days, reputations – not to mention marriages and relationships – will be ruined.
For many people, this whole hacking scandal reeks of Schadenfreude – the German word for “pleasure derived by someone from another person’s misfortune.” It’s well-deserved karma for cheating, they say. But others are quick to point out the opposite. According to them, crime is crime regardless of who the victims are.
We’re not here to discuss the moral issues surrounding the existence of a website such as Ashley Madison. But we’re here to talk about what this scandal means for cybersecurity on customer data. This is a great opportunity to take away key business practices to prevent your customers from becoming the victims of a cybercrime. No matter how you look at these breaches, it’s always the people loyal to your business that would get the short end of the stick after a security hack. So what are you doing to protect them?
The use of email addresses
Ashley Madison is a dating site, so most members use it for personal reasons. Yet, some of them signed up using business email addresses, including official .gov email addresses. It’s not just a few people; 15,000 .gov email addresses were found in the data dump. You can say that these folks should have known better because as a general rule, business email addresses should never be used for personal reasons.
Although that is indeed true, one thing you can learn from this incident is that organizations decide what kind of information they need to get from their customers. But for the sake of security, it’s best to get only the minimum information needed to deliver products or service to customers. For example, if your organization is offering business software, users should sign up for the service with their business email addresses and not their personal ones. Here at Convene, enterprise users can sign up only with their organization-assigned business email addresses. We do this because it ensures only authorized people can create accounts, and also because we don’t need personal email addresses to deliver Convene.
It would be great for you to be able to say that your organization’s security measures are infallible, but considering the high-profile victims of cybercrimes, it’s more logical to conclude that no one is truly safe from cyberattacks. But at the same time, a security breach wouldn’t have a huge impact if there isn’t a lot of important information to leak in the first place.
The rise of extortion
Hackers steal information to destroy an organization or to steal data for financial gain. But according to Forbes, another motivation is on the rise, and that’s extortion. The Impact Team didn’t want monetary payment from Ashley Madison, nor did the group want to ruin the site for the fun of it. Instead, they gave a choice: Shut down the site, or pay the price. It’s moral outrage at its most palpable. It’s also a form of virtual blackmail, and data is the main hostage caught in between two parties.
In line with the Ashley Madison incident, organizations need to review their customer data and check what hackers may want from it. Credit card numbers, social security numbers, and bank account numbers are obvious –- hackers covet these for the money it can bring. But what else could they want from the information you keep? Knowing the answer to this question could help your organization understand what possible motives hackers may have and how to respond to them if the need arises.
What you probably think isn’t crucial may turn out to be important for your customers. Let’s look at Spotify as an example. It’s an app for streaming music, so not counting a credit card information leak, how bad can a security breach be? What’s so scandalous about playlists and musical preferences? But if you think about it, customers would not appreciate their private playlists being posted on public for the world to see, especially if such playlists come with incriminatory names like “Music I get high to” or “Songs dedicated to my ex.” It may be just a funny label with no deep meaning, but it’s still not something people would want their coworkers and relatives to know about.
Fortunately, not many organizations are involved in delivering controversial products and services the same way Ashley Madison is, so a security breach may not be as reputation-damaging for their customers. But it can still be as life-ruining. Getting a credit card cloned may not be as embarrassing or scandalous as being outed as a cheater, but it’s still something your customers don’t deserve.