Cubus Solutions – Opinion Editorial
By John-Ashley Paul, President/CEO, Cubus Solutions
Infidelity, extortion and data breaches: What we can learn.
The recent data breach and compromise of 3.5 million Ashley Madison user accounts, a website that explicitly facilitates illicit sexual liaisons, may turn out to be largest case of broad-scale extortion the world has ever seen. It’s hack 2.0 if you will.
You already know to protect personal information of members and employees, intellectual property secrets, passwords, private keys, and the like – information that a hacker seeking financial gain would covet. But an extortionist is looking for confidential information that solely has the power to embarrass your organization, regardless of any potential financial value.
In the case of Ashley Madison, the hackers were agitated by a less-than-perfect promise made by Ashley Madison to erase personal data. The erase function created $1.7 million in revenue annually (according to the hackers), but as the hackers wanted to point out, the data was never fully erased. There’s some question as to whether the people at Ashley Madison knew that all the information wasn’t being erased. Either way, the hackers had the right to call out Ashley Madison in defense of its members. The irony is while they were ‘defending’ the members they were threatening to release the information – which they did on August 19 – of those same members.
They were not specifically interested in the data of any single individual in the user base, rather they wanted to expose the fraud through extortion – close down the site or we leak the personal data.
The decision to make public specific information from the breach was not about an individual or their relationship with the hackers. It was about control. When someone controls your data and does not have a direct interest or economic relationship with you, it can be very difficult to gain back control or influence what happens to it.
Any business that has a website is a potential target for shakedown artists. That’s why it is a necessity to identify all sensitive information being stored and take every possible precaution to safeguard it. The bad guys don’t have to steal financial information to make money by hacking. They just have to steal any data that has value to someone.
Data as a detriment
More and more data is being gathered about customers. That’s the value side of the coin. More data helps you make better decisions, see trends, target market and so on. But on the other, there’s risk. The ‘save everything’ strategy is one of them. The only way to determine the real value of saving all the data is to calculate the financial and strategic benefit gained from using the data, minus the cost of the infrastructure and the legal and compliance risks associated with keeping all that data.
Making matters worse for corporate security teams is that in recent years, most have invested heavily in protecting financial data, and spending money securing what they considered to be the most valuable data. In the future (which is now), this needs to change. But right now, every executive at every institution in the country should be hard at work doing an assessment about what their valuable data really is. Then, they need to invest wisely in protecting data that might seem inconsequential if stolen in one context, but a disaster of stolen in another. Because every company will have to plan for ransom and extortion requests now.
The bottom line? As individuals, there will never be a better time to educate ourselves about what tradeoffs we are making, consciously or unconsciously, with our data. As business people, we need to decide what kind of data stewards we will be, especially as data becomes more ingrained in business strategy. As an industry, we need to start putting clear and practical norms in place to clarify these issues so that we can have a fair and productive conversation about them and, frankly set a good example.
About John-Ashley Paul
John-Ashley Paul brings years of high technology and marketing experience and expertise to Cubus Solutions, including over six years with a leading credit union core data processing vendor. John-Ashley led product management & marketing at several technology companies including Siemens, EnterWorks, Asterion, and Interpro.