The Canadian owned adult dating site for spousal affairs was the victim of a huge data breach on Monday—potentially exposing millions of users’ real names, nude photos, sexual fantasies, as well as billing address and financial information—a breach which raises questions, not merely about security vulnerabilities but also about what security posture a company should take regarding data retention.
As the implication of those using the site involves illicit activity—activity most of its users would like to remain completely private—surprisingly little was done by Ashley Madison to ensure its users’ privacy. Its retention of addresses, real names, financial information, and its use of standard website procedure for username retrieval and password changing all contributed to the gravity and embarrassment of the breach.
In fact, as the threat was internal to the organization, the real vulnerability here had less to do with the sophistication needed to protect against external exfiltration threats then it was a case of sensitive information being more of a liability than an asset.[i]
The take away from Monday’s Ashley Madison breach is that security is about more than hardening networks; information security must be considered in all aspects of business planning. Increasingly, the security posture of a business must be specially tailored to the services or goods that business provides. In the case of Ashley Madison, a lot less stood to be gained from the retention of private user data then now stands to be lost.
For more information on the AM breach see:
[i] See the Verge acticle on the breach: http://www.theverge.com/2015/7/20/9006213/ashley-madisons-data-breach-is-everyones-problem