Ashley Madison, which proudly bills itself as “the most famous name in infidelity and married dating” is at the center of what might become one of the most talked-about hacking incidents ever.
The hack and subsequent release of the identities and personal information of tens of millions of people seeking extramarital affairs online has brought embarrassment to outed celebrities and politicians, and is already being blamed for at least two suicides.
While it’s easy to dismiss the fallout from the Ashley Madison hack as a circus act because of the nature of the service, there are a number of lessons for all brands in this sordid affair.
The first part of addressing and preventing security breaches like the one Ashley Madison is now dealing with is to accept the fact that your company is vulnerable.
Companies that invest heavily in security, including large financial institutions, retailers and tech giants, have all been hacked, so no business should assume that it’s immune to hackers.
Security is about more than going through the motions
It’s easy to use SSL, throw some security seal images on a website and pretend that customer data is safe, but actually building and maintaining secure online services is very tough.
Most companies have good intentions. They try to follow security best practices and stay up-to-date when the software they rely on receives security patches. Some, particularly those that accept payments, invest in third-party audits and regular vulnerability scans.
But thwarting sophisticated attackers is increasingly difficult, particularly for high-profile targets that receive sensitive financial and personal information from their customers. For this reason, it’s important that companies transacting with consumers online treat security as a core competency that’s vital to their business.
Insiders are a huge security threat
The identities of the people behind the Ashley Madison hack are still unknown, but early on there was speculation that an insider, perhaps a former employee or contractor, was involved.
Even if this turns out not to be the case, companies must face the inconvenient truth that insiders are a huge security threat.
While it’s all but impossible to completely eliminate insider risk, ensuring that employees, contractors and vendors have only the access they need, and removing access when it’s no longer needed, is absolutely critical.
Additionally, companies should ensure that they adequate log and monitor insider access so that if there is a breach, they can quickly identify suspects.
Putting in place comprehensive access controls can be complex and costly, but it’s a worthwhile investment given the damage that insiders can cause, often with nothing more than a USB drive and the ability to copy and paste.
Cheating your customers is only cheating yourself
Ashley Madison’s subscribers aren’t the only ones facing embarrassment in the wake of the company’s hacking. The company itself has come under scrutiny over the quality of its service.
Ashley Madison allowed subscribers to delete “all traces of [their] usage” for an additional fee. But it appears that while the company did delete some subscriber information as promised, other information was not deleted.
This included GPS coordinates, city, state and date of birth, all of which could theoretically be used to track down a particular subscriber’s identity.
Ostensibly, Ashley Madison kept this data for analytics purposes, but in doing so it didn’t live up to its promise and that promise is now at the center of at least one multi-million dollar class action that has been filed against the company.
Lesson: delivering anything less than what you say you will deliver to customers is tantamount to cheating them.
Law enforcement and rewards can’t save you
Ashley Madison is working with law enforcement to identify the people who hacked it, and the company has even offered a $500,000 CDN reward for information leading to their arrest and conviction. But the reality is that nothing can stop or reverse the damage that has already been done to Ashley Madison and its brand.
This is the unfortunate reality companies face today: major security breaches involving personal and financial information frequently have catastrophic consequences that don’t become less catastrophic when justice is eventually served.
Customer service matters even when you can’t really help
Arguably, there is very little Ashley Madison can do to meaningfully help customers affected by its hacking. But that doesn’t mean that the company should leave customers hanging either.
According to some reports, Ashley Madison has communicated very little with its subscribers and some who have tried to contact the company to address their concerns say they have been unable to do so.
When all is said and done, how well Ashley Madison treats its subscribers during this period of turmoil could very well determine how many of them give the company a second chance.
A hack could endanger your company’s life
Before it was hacked, Avid Life Media, the company that operates Ashley Madison, was pulling in more than $100m a year in revenue, and reportedly prepping for an IPO. Now, the IPO is in doubt and with lawsuits seeking more than $500m damages already filed. Some have gone so far as to suggest that the company might not be able to survive this affair.
Obviously, Ashley Madison is an unusual case because of the nature of its service, but that doesn’t mean that companies not engaged in sordid business lines should assume that hacks aren’t an existential threat to their survival and success.
Because of the vast amount of data being put online, hacks are getting bigger and costlier, and the Ashley Madison hack won’t be the last that threatens to bring a company to its knees.