Late Sunday evening, security blogger Brian Krebs reported that sensitive data belonging to 37 million users of Ashley Madison had been stolen by a hacker or hackers identifying only as The Impact Team. As is typical with incidents of this nature, names, addresses, credit/debit card information and other personal information may have been taken. However, the article asserts that an alleged lapse in sensitive data management practices may have been the motivation behind the attack:
“In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.
According to the hackers, although the ‘full delete’ feature that Ashley Madison advertises promises ‘removal of site usage history and personally identifiable information from the site,’ users’ purchase details — including real name and address — aren’t actually scrubbed.”
Why the data wasn’t removed from the service is up for debate, but let’s assume the company was doing its best to make good on the service offering and not making false claims. Perhaps pieces of data were retained for compliance purposes or data was copied and saved to an unsecure location. There are any number of reasons why sensitive data is inadvertently compromised. However, the “why” isn’t as relevant as the fact that it was there in the first place. Regardless of intention, the damage that can be suffered by organizations that do not appropriately align business strategy with sensitive data management practices is very real. Ashley Madison offered a premium service that promised enhanced data protection, and once that becomes a part of an organization’s business model, there really is no room for error.
Risk-reducing sensitive data management requires classifying every piece of data, monitoring, detecting out-of-place data and remediating the situation immediately. As this incident and many others like it prove, sensitive data management practices—or lack thereof—directly impact risks associated with data breaches. No, it’s not easy, but it’s clearly non-negotiable.