When it comes to privacy failures, nothing beats the Ashley-Madison story as the 'sex, lies and videotapes' of data breaches. Hacked by "The Impact Team" in August of 2015, the story has it all: a data dump of individuals cheating on their spouses, the release of exceptionally personal details such as favourite positions and kinks, real-life devastating consequences including suicide and blackmail, and, oh yes, uncovered lie after lie. Not only was the website/service an utter failure at keeping client confidentiality, but later investigations revealed even if the hack hadn't happened, the odds of an actual 'match' happening between two users were utterly dismal to begin with, given the very few females in a database of overwhelmingly male users.
For businesses that collect personal information, the story serves as a more devastating example of what can go wrong for the company if that personal data is released. Accused and found guilty in both Canadian and Australian privacy offices of gross privacy mismanagement, even before the verdict was in parent company Avid Life Media, now Ruby Corp, lost big time: over a fourth of business revenue down the drain.
So what lessons can and should businesses take away from this colossal data disaster? Although security professionals agree no system is digitally bulletproof, here are three things that contributed to Ashley-Madison's utter humiliation.
1. Poor safeguards
While Ashley-Madison did use a number of protection schemes, including data encryption, locked data centres with biometric scanning, and logging of employee data access, investigation by PIPEDA and the Australian Privacy Act revealed the safeguards were not enough for the level of risk the information held. With privacy, the more sensitive information, the more safeguards to apply: the extreme sensitivity of the Ashley-Madison user data meant above and beyond safeguards should have been in place. Unfortunately, Ashley-Madison's safeguards did not make the cut: security lacked implementing commonly used detection measures, such as an intrusion detection system, along with poorly managed key and password handling. Where Ashley-Madison believed that accessing the server via VPN would provide better protection, they failed to recognize that the VPN access itself was insecure: lack of monitoring allowed the hackers to get in via compromised credentials.
2. False advertising
One of the reasons Ashley-Madison was able to acquire such a large list of clientele was because the company has assured users in advertising and at the point of sign ups that their information was safe, and they could trust the business in its confidentiality. Yet the so-called 'proof' of being a safe, secure web service was a lie right from the start. Investigations revealed that the 'trusted security award' medal, displayed was false, and the 'SSL secure' and statement of '100% discreet service' didn't measure up. This of course, became obvious after the hack, but still drives the point: if your business model relies on customer trust and confidentiality, you need robust privacy and security measures in place to prove your business can back up its claims.
3. Not taking privacy seriously
In the end, for a business that's entire model was based on protection of exceptionally sensitive data, Ashley-Madison's privacy practices didn't add up. Staff training was insufficient, with only 25% of staff having received privacy training at the time of the breach. Emails were never verified, causing a number of false charges to individuals who had not in fact signed onto the service, resulting in job loss, reputation all damage and at least on of the previously mentioned suicides. Information management compliance was exceptionally poor: when a user initially deactivated their account, none of the information was deleted from the Ashley-Madison files. A full delete option, was added upon user request, but required payment, and even then, some information, including photos, were retained 12 months after the deletion had been purchased.
Surprisingly, Ashley-Madison is still up and running: rebranded by Ruby Corp to be more about 'finding fantasy' than having affairs, a mix of four-star and one-star current customer reviews can still be found on consumer rating websites such as sitejabber, proving the old adage 'sex sells', and clearly the business brings in enough profit despite the huge losses to keep going. Things are going to be tougher this time around though, with an 80% drop in traffic since the hack, and Avid Life Media's reputation remaining in the mud, no doubt a reason for the rebrand. The hack has forced the business to make some serious changes to their business strategy, and with media mistakes & scandal lasting on the web longer than ever, it will be some time before we all forget this one.