For users of the controversial adultery dating site Ashley Madison, July 15, 2015, was a black day indeed. The Canadian organisation reported on that day that an eye-watering 37 million users had had their most personal of personal data leaked. An embarrassment of phenomenal magnitude for any site of its nature but an off-the-charts disaster for an organisation so reliant on secrecy. A 9.7 GB encrypted file that hackers threatened to leak online claimed to contain the login details, personal details, credit card details, and sexual preferences of the site users. And the hackers leaked the data on Aug 19, 2015 after Avid Life Media, the owners of the twin sites Ashley Madison.com and the EstablishedMen.com, failed to take both these sites offline as demanded by the Impact Team, the self-claimed hackers. It’s not our business to comment on the ethics behind the philosophy of the site or the claim of the hackers but it is our role as industry leaders to take the opportunity to share our thoughts on data security in light of this extraordinary event.
Avid Life Media has not yet explained how this security breach has happened; and IT experts have not been able to figure it out either. But something clearly went extremely wrong and this incident shows that even the largest organizations most in need of securing their data are compromising on data security by not being serious about it. One simple example of the carelessness can be seen in Ashely Madison allowing users to sign up without verifying their email ids. The chances are high that people misuse this to use the email ids of others especially given the nature of the site in question. It was a case of even the most basic security level failing to be implemented and an unforgivable oversight.
Consequences of the data leak
The Ashley Madison data leak is a typical example of the wide ranging effect that can happen when data security is compromised. The personal details, financial information including credit card details, and reputation of the users are all at stake here. Nobody can say how personal and financial information will be used when it is openly available for all and users affected will have to find the extra time and effort to make sure they are protected from further attack. The data leak has also dented the credibility of the organization irrevocably too and there is no doubt that revenues will take a huge blow due to this incident.
How can organizations secure their IT infrastructure?
Taking lessons from the Ashley Madison data leak incident, it is clearly time for organizations to review the security arrangements in their IT infrastructure, but of course keeping the IT environment safe and secure is not an easy task. IT Administrators, depending on the type of resources they have, will have to adopt various strategies, however, in general the strategy should include forming a security policy and implementing it strictly with the help of various technologies. Proper auditing is also important in ensuring the faultless implementation of the security policies. Nowadays, many organizations rely on professional tools to perform various security related activities including comprehensive auditing.
How internet users compromise the security of their accounts?
The Ashley Madison data leak incident also throws light on how end users are compromising on internet security. Some analysts who claimed to have analyzed the login details found that most of the accounts had very simple passwords like ‘123456’ and ‘password’. Another interesting finding was that many users were using their official ids on a site that was meant for social networking. It is time for corporates to educate their employees better about the dangers of using their official id on social platforms.
Organizations and IT users are sometimes found to be careless about their IT security and the data leak incident of Ashley Madison reveals how some pitfalls of IT security can lead to catastrophic failure.
This is a cautionary lesson for every organisation and the lessons learnt here should be long remembered. Not a moment should be wasted in ensuring that data security policies or in order and fit for purpose.