Laprise: The lessons of Ashley Madison
The alarm bells are getting louder. #SonyHack, #HackingTeam, #OPMHack, and now #AshleyMadisonHack. In the space of a few months, four data breaches have punctured a media sphere that has become jaded to the idea of the loss of data. Why?
We were spellbound by the internal emails revealed by the #SonyHack, which has had lingering and far-reaching effects on Hollywood, including the souring of relations between it and Google.
The #HackingTeam event opened a window into the seedy world of international surveillance technology and cyberweaponry, underscoring how far governments around the world and in the United States are willing to go to spy on citizens.
The #OPMHack was about the vast stores of data retained by the federal government. To paraphrase: “Why hack governments? Because that’s where the data is.”
That brings us to the most recent #AshleyMadisonHack. It lacks the business effects of the #SonyHack, the privacy angle of #HackingTeam, and the scale of the #OPMHack. However it makes up for all of that in terms of sheer prurient interest.
As a website that explicitly facilitates illicit sexual liaisons, the data its hackers are threatening to disclose have crushed a company’s planned IPO and future, as well as putting fear into the hearts of cheating spouses and significant others across the country. The potential personal wreckage is profound.
This brings us back to the growing volume of those alarms. What do they tell us?
First, despite all of the rhetoric from organizations and government, the hacking problem is getting worse and organizations are not effectively mitigating the threat. The reports of the security measures in place in all four hacks reveal security was neglected. We are not talking about falling short of best practices or even good practices; we are talking about implementation of worst practices like plain storage of weak passwords, using default passwords and unencrypted data storage.
Despite the rhetoric of cybersecurity, organizations continue to prove they are not serious stewards of user data, even when it threatens their capacity to function as a going concern. Their seriousness will apparently rise only when penalties for breaches rise. If any of these organizations had acquired insurance to cover such a hack, the insurer would likely be able to avoid its liability because the insureds had failed to take even the most basic steps to protect data.
Second, there is the “#” factor. Hackers are not concealing their actions or — as in the #OPMHack — word gets out. In the private sector, many organizations fear the effect on public confidence and brand of such a disclosure. Public Relations 101 is to get out in front and make full disclosure early and often. Concealing the problem only exacerbates it. Legislation to mandate disclosure of breaches should advance in Congress.
Third, hackers are getting better not just at the tactics of hacking, but also the strategy. They are identifying better targets. Like any predator, they are interested in the weaker and more vulnerable members of the herd. Unfortunately for users, most of the herd is lame.
Going one step further, increasingly we see the effects of hacking not in terms of specific stolen data records, but the destruction of relationships between people and organizations built with trust. This trust is not easily restored and once lost, can be hard to regain.
This is especially important in the #SonyHack, #HackingTeam and #AshleyMadisonHack. Unlike the #OPMHack, these hacks were especially damaging because they revealed private and even secret information shared by actors other than the data holder.
The #SonyHack rekindled Google’s war with the MPAA. The #HackingTeam revealed the deception practiced by states on their citizens; and the #AshleyMadisonHack, of course, threatens to disrupt marriages. In each of these cases, the hacked organization lacked a direct stake in the collateral damage wrought by the disclosure. The stakes were simply not high enough for them to take the threat sufficiently seriously.
They ignored the alarm bells because they didn’t see their house burning. It remains to be seen how long it will take for them to feel the heat.
John Laprise began studying global Internet policy and governance with his work on cyber warfare doctrine in 1993. He wrote this for InsideSources.com.