5’W – who, what, when, why, why
I will be honest, prior to this breach and the media following spawning from this incident. Ashely Madison simply sounded like the name of an ex-girlfriend. But today its synonymous with one of the decades largest social media data security tragedies I do however find myself questioning how this incident reached its stardom with so much momentum almost overnight.
The timeline of “Ashley Madison” events can be found here. Not unique to any of the other breaches that have gained enough notoriety to hit mainstream media the sequence of events are the same. High value information is exfiltrated from a web companies organization due to the lack of safeguards in place.
A theme so common one could summarize that the general public has experienced a severe case of desensitization to headlines such as the one in the Ashley Madison. Ashely Madison alleged intruders took the liberty of illuminating the reasonably low level of effort it took to gain access to the troves of information with comments that indicate there were very few safeguards in place to thwart such an attack.
What is unfortunate however, is that there are very few laws that govern how Internet Companies or more specifically Dating Websites safeguard the data that they are beholden with. Users, and potential clients are presented with the all so common “Enter Your Data At Your Own Risk” style User Agreements. These agreements are commonly misconstrued as contractual expectations of privacy. There inlays the problem, or the beginning of a larger more systemic issue.
With banks, or even data brokers laws are in the beginning phases of development to provide a layer of protection to consumers and their data. Such laws do not exist for Social Media sites, though the implementation of effective data security safeguards should be common practice. Common practice is not “standard” by any means.
Enter the Ashley Madison saga, an Online Dating company strategically focused on matchmaking the traditionally taboo. Gaining a significant market share by offering its clients “secure” and anonymous communication channels to facilitate “non-traditional” relationships.
The sites notoriety and success so extensive in nature that its boasts (as did the alleged hackers responsible) over 33 million records. Records that contain information that earn the classification of “Private” with ease. The outcome (like most data breach fallouts) has now unfolded into a scan riddled ecosphere where the information stolen will be used for many reasons. One main and most lucrative method is Identity Theft, in many different shapes and sizes. Some will cover under the guise of industry known outlets providing Data Removal services, similar to the ineffective method solicited by Ashley Madison as a al ala carte bonus.
Draw targets much? Almost like clockwork the timer was set for this company like most claiming to provide security, anonymous offerings and the like without the proper know how. As in this case identities were able to be matched via credit card transactions and improper technical compartmentalization of data. This is the age of innovative web services, but without the appropriate security acumen engrained in the DNA of these social media companies the sagas will continue to security.
0 Knowledge, Encryption, Access Control- See bits & digits LLC “The Snowden effect” on basic, technology agnostic methods to adopt a security model that protects both client and company data at the core.