8 Lessons Learned From the Ashley Madison Data Breach
The Ashley Madison data breach has been one of the most financially and personally harmful data breaches ever. As of August 2015, it has been reported that the Ashley Madison data breach has affected as many as 39,645,000 of their customers, after hackers stole personal and financial information from Ashley Madison databases and posted it on the “Dark Web”.
Here are IPR’s top 8 IT security lessons that businesses can learn from the Ashley Madison data breach:
- Identify and Safeguard your Businesses Mission-Critical Data.
It has become imperative that businesses identify and safeguard their mission-critical data, including customer credit card information, passwords, and social security numbers. Most businesses are still struggling to devote the necessary financial, human and IT resources to secure their business and customer data. Raj Samani, CTO Intel Security (Europe, Middle East and Africa), suggests companies opting for a DIY approach, would be wise to implement a robust risk management system capable of not only implementing the appropriate IT security protocols, but also robust enough to classify data according to sensitivity.
- Ensure Password Security
According to Australian password security specialist, Troy Hunt, Ashley Madison had good measures in place for securing their user passwords by using a bcrypt password hash algorithm. Jeremi Gosni, in an Ars Technica interview, echoed the same sentiment in that only 0.068 percent of the 4,000 leaked Ashley Madison passwords could be easily cracked.
- Store Less Data
Hunt also points out that even though Ashley Madison employed standard security measures encrypting and securing customer credit card data – they did not secure customer personal and geo-tracking information used for tracking a customer’s location to within a few feet. Hunt recommends that companies securely store only the most necessary customer information and expunge their less crucial personal customer data.
- Keep Promises
Before the breach, Ashley Madison offered customers a “full-delete” service for $19. After the breach this was offered as a free service for customers concerned about their personal information landing up in the wrong hands. Unfortunately, customer information remained un-erased from their databases. Samani says the full-delete service highlights the importance for organizations to simply “do what you promise.”
- Secure the Supply Chain
Today it is more important than ever to realize that even the third party vendors companies grant IT network and application access to – could be a potential IT security threat. In fact, many major data breaches have been as a result of third party contractors who do not follow regimented security protocols. The 2013 Target data breach is an example of a third party contractor who gained access, via a shared network, and compromised 50 million customer financial records.
- Communicate With Customers About Your Security
Simply stating that your customer information is private is not enough. It is important to communicate with customers the extra steps your company is taking in securing customer data. How you destroy data, the levels of security and the protocols you have in place to prevent a data breach – all should be a part of your communication with your customers.
- Enforce Corporate Email Security Policies
In a recent interview with Data Breach Today, Stephen Coty (Alert Logic’s Head Security Evangelist) asserted, “Organizations need to get serious about enforcing corporate email security policies, which have traditionally gone unenforced”.
Coty’s examination of the original August 19, 2015 Ashley Madison data dump, led to his discovery of 7,000 Army.mil email addresses; 125 official U.K. government email addresses; 150 emails traced to Shell.com; 190 from Wellsfargo.com; and, a dozen Whitehouse.gov emails.
- Beware of DIY IT Security Projects – Seek Out Experts
Before you have a problem with employee or customer information landing up in the wrong hands, seek out experts who are in the business of helping companies formulate scale-as-you-grow data security plans. Companies who rely on their already overburdened IT personnel to design new layers of security are often forced to grapple with unexpected costs and overhead.
The expertise and IT flexibility needed to keep up with customer security demands and changes in the regulatory landscape – is a full-time job, not a one-off IT project. IPR Secure IT security experts are here to help! Call us today for a free consult or quote.
IPR Secure solutions help companies protect their mission-critical customer information. We built it for you, so you don’t have to! To learn more about our robust suite of IT security and datacenter solutions, such as IPR Secure Cloud or Regulatory-Enforced Cloud, visit: http://iprsecure.com or call us today at 877.282.4873.
Data Breach Today. 6 Lessons Learned From the Ashley Madison Breach.
Data Breach Today. Mitigating Organizational Risks After Ashley Madison.