Extramarital dating site Ashley Madison has opened a new frontier in the data privacy discussion with the theft of its entire database. While much of the discussion about breaches, privacy and security has centered on those attacks aimed at financial gain, a resurgence of cyberattacks on politically and cause-motivated organizations is reigniting fresh discussions about such harmful hacks. That reflects the personal harm to individuals and companies that such breaches trigger. In such instances, you're often dealing with an adversary more interested in sparking attention from the attack than in keeping the disruption secret to dislodge more money from the stolen information.
For sites where anonymity and discretion are key to its business and survival, the damage from the exposed personal member details is much worse than losing payments information as several large retailers did over the past year.
Leigh Nakanishi, Edelman's leading expert on data privacy and security and a pioneer in the cybersecurity field shared with me that the potential reputational harm caused by this type of incident can be much worse and isn't limited to Ashley Madison. Organizations prone to similar attacks include those supporting political causes such as super PACs as well as the sites of groups where stolen personal data could cause distinct displeasure to their members.
While companies may respond fairly quickly to these issues when they arise, they have to make sure their messages are helping their cause. Companies should not spend time on trying to categorize the breaches as criminal acts or acts of "cyber terrorism." What's most critical is focusing instead on providing customers with the information they need to protect themselves. At publication time for this article, nothing had appeared on Ashley Madison's website or elsewhere to help users take steps to protect themselves.
Nakanishi also mentioned to me that this particular case raises important questions about data retention policies of companies that store highly sensitive information. The best practice is to delete information once it's no longer needed to avoid exposing a wider group. Unfortunately, most companies hold onto information far too long or don't delete data properly.
In this age when objectionable activity can be addressed through hacking that leaves permanent reputational damage, data-governance policies must be a top priority - and not only for financial institutions that can hedge their risks but also those companies that cannot.