Hear that sound? That’s the sound of 36 million throats gulping at the same time. I’m referring to the data breach at AshleyMadison.com, a web site devoted to, well, marital infidelity. There’s no other way to put it.
The site was breached, information was stolen, and in an act of self-claimed hacktivist righteousness the hackers posted the info for all to see. Wired has a good write-up if you want the technical details. (Reports vary on the precise number of affected people, but in any case it’s a lot.)
What does one say about this? It’s not easy to defend customers for this kind of website, but the numbers show it was a big business. On the other hand, you can’t congratulate the hackers either for revealing names, credit card numbers and so forth. Two wrongs still don’t make a right, even on the Internet. And one can assume there are a lot of innocent among the guilty, people who signed up just to have a look around, the way you might sign up to a legitimate dating site to look around, but you never actually contact anyone.
Ugh. What a mess.
From my professional perspective, the thing to keep in mind here – outside all the moral and ethical issues – is that Ashley Madison was a business run by Avid Life Media. In this respect, it doesn’t matter what they were “selling.” It could have been stuffed animals or jelly jars or industrial electrical parts. It was a business and it got hacked. This is illegal, criminal behavior, full stop.
Like every business these days, Ashley Madison’s most valuable asset was its data. In fact, the data was their only asset. They were selling data connections: “Dear collection of ones and zeroes, I would like to introduce myself. I’m also a collection of ones and zeroes.” That’s what they did. They connected data, privately. And now that data is public.
One could chide the IT departments of the world and say, ‘See? THIS is why you have to be more careful!’ But this is just another in a seemingly endless series of data breaches, data losses, data spills and so on. Does anyone not get it at this point?
But knowing you have a potential problem and doing something about it are two different things. And even if you know you need to do something – Something! Anything! – that doesn’t mean you’ll do the right thing or the smart thing. Businesses get hacked because data security is hard and complicated, and there are very clever people out there looking for cracks in your wall all the time, every day. It’s enough to make an IT director give it all up to go sell jelly jars on the Internet. Ok, maybe not on the Internet.
So what to do? Generic IT clichés are sometimes valuable, and they are here:
Consolidate. Simplify. Harden. Simplify. Never stop checking. Simplify.
You’ll note a recurring theme. Complexity leads to weaknesses, because you can never be checking everything all the time. It’s easier to understand one product than to understand five, and this is especially the case with data management and security. And don’t be afraid to call in experts if you don’t have your own. If you don’t think you know everything you need to know, then you probably don’t. Yes, it costs money to have experts review your environment -- whether vendors or VARs or consultants -- but it also costs money to have your company name plastered all over the Internet in screaming headlines.
There is a lesson in the AshleyMadison.com news: don’t get caught with your pants down! There will be another company or government agency that will be plastered all over the Internet soon enough. There’s always the latest victim. But if you do the work you need to do, have a solid data management strategy, and a trusted partner like Commvault, then maybe the next victim won’t be you.