This article was authored by John C. Tanner, and was originally posted on telecomasia.net.
Some people have been asking me what I think of the Avid Life Media/Ashley Madison hack, and the hackers making good on their threat to release the stolen data on the internet.
Here’s a few quick thoughts:
1. You’re going to be seeing a lot more of this sort of thing. Bruce Schneier talks here about the rising trend of “organizational doxing”, in which hackers steal tons of personal data from corporations and government agencies and release it in the wild, whether for purposes of whistleblowing or revenge (Edward Snowden being a famous – or infamous – example of the former).
The essay was written before the Ashley Madison hack went public, but the basic lesson is the same:
Both governments and corporations need to assume that their secrets are more likely to be exposed, and exposed sooner, than ever. They should do all they can to protect their data and networks, but have to realize that their best defense might be to refrain from doing things that don't look good on the front pages of the world's newspapers.
2. One interesting angle is the fact that, among other things, Ashley Madison provided a “full delete” service, under which it would scrub personal information such as your real name, username, email, profile information photos, search results and usage history from the site – all for a fee of $19.00. Allegedly Ashley Madison earned $1.7 million in revenues in 2014 from the “full delete” service alone.
However, the hackers claimed one of their motivations for attacking site was that Ashley Madison’s full-delete service in fact retained a lot of personal data.According to The Guardian, the released documents indicate that info such as date of birth, location data, gender, ethnicity, weight, height, body type, relationship status and sexual proclivities were still stored on-site – enough info to potentially divine the person’s identity:
For instance, one user marked as having paid for their account to be deleted can be tracked to a specific tower block in London, where knowledge of their date of birth and appearance would easily identify them to friends or spouses.
In other words, even if you paid $19 for “full delete”, there’s still a chance at least some of your data is included in the documents.
3. If this doesn't convince you that data privacy policies and security really matter when it comes to your reputation and relationship with your customers, then there's nothing we can do for you.