Ashley Madison Customer Data Exposed in Latest Online Attack

By Joseph D. McClendon

Online dating website, Ashley Madison, is the latest company to have its customers’ personal information exposed in a massive online breach. Founded in 2001, Ashley Madison is an online dating service for people who are already dating, married, or otherwise involved in a relationship with another person. Owned by Avid Life Media, the website markets itself with the slogan “Life is short. Have an affair.” and has 37 million users as of July 2015.

Impact Team, the person or persons responsible for the attack, released a small part of the data it downloaded from the Ashley Madison servers on July 15, along with a message directing Avid Life Media to immediately and permanently take down Ashley Madison and its sister site Established Men, a dating website for wealthy men. Impact Team further writes that it initiated the attack and is threatening public disclosure of the data it downloaded because of Avid Life Media’s misrepresentation of the “full delete” feature that Ashley Madison provides to customers for a $19 fee to permanently delete the customer’s account. According to Impact Team, even if the customer pays the fee for the full profile delete, the customer’s account information remains in the Ashley Madison database and is merely hidden from the public and member search functions. The penalty for not taking both websites offline, the letter continues, will be the full disclosure and release of all 37 million of the customer records, profiles, nude pictures, conversations, credit card numbers, customer names and addresses, as well as employee HR information taken from the Avid Life Media servers.

While he has remained largely silent on the issue, Avid Life Media CEO, Noel Bilderman, has implied that Avid Life Media’s investigation in to the attack has led them to believe that the attacker (or attackers) is a current or former employee or contractor of the company. Whether or not Avid Life Media will confirm that this attack was an inside job remains to be seen, but the most important takeaway from this story for privacy officers is the importance of three basic, yet fundamental, aspects of protecting your customers’ personal information.

1. Implement an Internal Company Privacy Policy. Having a privacy policy that establishes internal controls for who collects customer personal information, how it is collected, where it is stored, and for how long it is stored is the first step to protecting your customers’ personal information. The privacy policy should obligate every employee with access to customer personal information to protect that data as well as obligating the company to provide annual training and updates to employees.

2. Embrace the Principle Of Least Privilege. The Principle of Least Privilege is a restrictive computing practice that only allows a user to access the information necessary for its legitimate purpose. In other words, an employee should only be allowed to access the least amount of information possible in order to do his job. By only giving the least amount of access privileges, you are minimizing the number of employees who will have access to customer personal information, thus making the pool of employees who do have heightened access smaller and easier to manage. Perhaps the most relevant benefit to utilizing the Principle of Least Privilege is that the temptation to access restricted information is removed if an employee can’t access that information in the first place; i.e. employees without access to proprietary and sensitive information can’t expose that information if they can never get to it.

3. Follow Your Breach Plan. When, not if, your company is breached, you must stick to your breach plan to stay ahead of law enforcement, regulators, the media, and further disclosure of customer personal information. Your breach plan should be written alongside your internal privacy policy – the documents go hand in hand and work together to help you control a breach. Employees must know what their roles are during a breach, when they must act, and who they need to contact when they discover a breach. Not having a breach plan can lead to a reactive response, which makes investigating and containing the effects of the breach more difficult.

Every company has unhappy and disgruntled employees and even the most advanced security protocols won’t stop a determined employee set on exposing sensitive information to the public. These precautions can help minimize the risk of exposure in the event an employee tries to, or does, cause harm to the company. The next 5 to 10 years are going to be incredibly rough for IT security professionals as the number of breaches increases, but embracing and preparing for the inevitability of breach are the first steps to recovery.

Summary and Takeaways

  • Online dating site, Ashley Madison, was breached on July 15, 2015
  • Early investigation indicates that the attack may have come from an employee or company contractor
  • Having an internal privacy policy that establishes controls for collecting, storing, and maintaining customer personal information is the first step to protecting sensitive data
  • Utilizing the principle of least privilege minimizes the number of employees who have access to customer personal information
  • Follow your breach plan to stay ahead of the breach

For More Information

Polsinelli attorneys understand how important protecting customer personal information should be to a business. For more information, please contact the author, a member of the Privacy and Data Security practice, or your Polsinelli attorney.