I’m not proud to admit it, but it’s true, reports of major data breaches make me happy (Unless of course the breach happens to affect me personally, and I have to deal with things like updating my online payment information for dozens of vendors because a new credit card number has been issued.)
Like a lot of other folks in the IT security industry, a part of this joy is enlightened self-interest—breaches can be good for business. Beyond that, though, there’s also the hope that as breaches are reported, it may ultimately spur some positive change in corporate accountability and security policies, and most importantly raise consumer expectations for the protection of personal information that is so widely collected and stored on all of us.
Very recently, some pretty big news on data breaches has been reported:
- NSA slides were leaked recently that show the massive scale of attacks by Chinese hackers, which have afflicted more than 700 U.S. targets, including businesses and government agencies.
- Last week, Web.com announced the theft of credit card information for 93,000 customers.
- The week before, officials at the University of Virginia disclosed a breach of its IT systems by hackers from China.
However, in spite of the magnitude of these revelations, they didn’t have much, if any, mass media news coverage. Why? I’d argue we are in a period of complacency when it comes to breaches. It seems now a story needs to have a salacious angle to make the news. For example, it was only the fact that some of the exposed emails had nasty things to say about Angelina Jolie and other stars that put the Sony breach in the mass-media news cycle. However, when it comes to salaciousness and a resulting media frenzy, the Ashley Madison data breach may well eclipse anything we’ve seen before. For those who aren’t familiar with the site, Ashley Madison’s focus is on helping arrange extramarital affairs. Like many who hadn’t heard of the site until this breach, I was shocked to learn that Ashley Madison had been so popular, with some 39.2 million members, and that it was a pre-IPO company.
As so often happens, Ashley Madison’s leadership initially tried to downplay the severity of the breach. The CEO and other executives at Ashley Madison immediately told the public that the breach was limited, that there were no credit card numbers exposed, and that all the reports of leaked names were false. Like many other attacks, executives’ spin is ultimately negated by the truth, and in this case, the truth came in the form of a massive data dump, 9.7 gigabytes of data that included names, credit cards, and email addresses. In addition, a lot of internal communications and documents, and even the site’s source code, were also exposed. What are the consequences?
Given the nature of Ashley Madison’s services, there’s a clear morality angle that will be sure to give this story a long shelf life in online media and discussions. While we can make judgements or condemn the people that elected to sign up for a service like Ashley Madison, it is also important to recognize that, because of the private, highly personal nature of the site, the implications of the breach will reach far beyond the typical attack at a retailer or financial institution.
As opposed to the very real financial significance of a credit card breach or the financial and emotional strains of identity theft, this breach introduces a whole new layer of collateral damage, potentially for millions of families. Articles are surmising millions of marriages may be affected and suicides have already been linked with the breach.
The damage doesn’t stop there. Consider that 15,000 email addresses with the “.mil” domain have already been identified as being included in the records compromised. These military personnel may be exposed to significant disciplinary action; adultery in the military is a prosecutable offense under Article 134 of the Uniform Code of Military Justice. Maximum punishment includes dishonorable discharge, forfeiture of all pay and allowances, and confinement for one year. In addition, what happens if military personnel are extorted for information? Will the safety of the public be jeopardized?
If that’s not bad enough, it’s even more sobering to think of the emails with .gov addresses that have been exposed, the government officials who used them, and how far-reaching the implications may be. NBC News reported that “Hundreds of U.S. government employees—including some with sensitive jobs in the White House, Congress and law enforcement agencies—used Internet connections in their federal offices to access and pay membership fees to the cheating website Ashley Madison.” The report goes on to say that the officials “included at least two assistant U.S. attorneys; an information technology administrator in the Executive Office of the President; a division chief, an investigator and a trial attorney in the Justice Department; a government hacker at the Homeland Security Department and another DHS employee who indicated he worked on a U.S. counterterrorism response team.” Clearly, these revelations are only beginning, but it’s not too difficult to imagine the breach having far-reaching consequences for careers, government initiatives, and elections in the future.
For some time, I’ve hoped that we would band together and demand a higher level of security and accountability from those organizations to which we entrust our personal information. I firmly believe that it is time for data privacy and data protection to become an issue that’s focused on at the highest levels of politics, and on both sides of the aisle. It hasn’t happened yet. While reports of breaches continue to be commonplace, there’s simply been too much complacency. Maybe in the wake of the Ashley Madison breach, that will start to change.
Company executives, boardroom members, and government agency officials pay attention to salacious news, just the like rest of us. At the end of the day, sex sells. Perhaps sex-story hacks can even make topics like security strategy and privacy more important for the people who make the call on corporate investment priorities and government policies.
There are some pretty compelling arguments to be made that this security breach will be an extinction event for Ashley Madison. As a result, I’m pretty sure that many executives and board members are now discussing how a data breach may affect—and maybe even destroy—their companies. Hopefully, this is helping foster some concrete discussions about what security measures can be put in place to protect data and to contain the damage should a breach occur.
If you’re worried about a data breach and what it may do to your business, be sure to visit vormetric.com. For years, Vormetric has been collaborating with customers to help them mitigate the risks of data breaches. We help customers devise a sound encryption strategy that isolates and secures data in a cost effective and scalable manner. Vormetric experts would be happy to consult with you, and help implement the strategies that mitigate the risk and implications of a data breach.