Here to comment on the news that the hacking of AshleyMadison.com has exposed the personal data of 37 million users, many will be wondering why the information of those customers who had paid for a “full delete” was still recoverable from the company’s servers are security experts from Blancco Technology Group, Tripwire and Veracode.
Pat Clawson, CEO of the Blancco Technology Group :
“I think the biggest concern here has more to do with people believing they had paid for their sensitive information to be fully wiped, when that simply wasn’t the case. Sure, users’ data may have been ‘deleted’ but was it destroyed? Clearly not.
This breach is exactly why it’s so critical that both businesses and consumers understand the difference between deleting data and destroying data. The two are not the same and mistaking one for the other can put companies, their employees and their customers into serious trouble. As a rule of thumb, remember this: Deleting is recoverable and destroying is not recoverable.
It’s irresponsible for a company to not deliver on what they promise their customers, and hopefully this hack serves as motivation for companies to take a hard look at their IT security policies and processes to ensure their information, and their customers’, are 100% safe. Period.”
Ken Westin, Senior Security Analyst for Tripwire (www.tripwire.com):
“These kinds of breaches can be quite disastrous for individuals who signed up for web services with the expectation of confidentiality and privacy. Even if users of the site had paid a fee to remove their profile and history, their personal information was still compromised. Unfortunately, in these situations even if aliases were used the profile is still linked to real names through credit card transactions, emails and other pieces of data. If this information is released, it could expose the 40 million users of the various online entities, and it has the potential to compromise much more than just email addresses and credit card numbers. Information associated with adult services has the potential to ruin lives, be used for blackmail or even espionage purposes, if government officials are involved.
“These kinds of compromises expose an ongoing issue of websites and services which claim to protect privacy and anonymity in their marketing collateral, or in this particular service it was the key feature. The problem is in order for these services to operate and collect money, the anonymous profiles are usually connected to a real identity. The amount of information these services collect regarding activity and interactions with the website such as IP addresses, usernames, email addresses, browsing history and other information increases the stakes, particularly if this data is archived instead of deleted.”
John Smith, Principal Solution Architect at Veracode :
Whilst one in a long line of customer data hacks, the secretive nature of Ashley Madison and its especially intimate customer information means that this breach is particularly worrying to the site’s subscribers. Whilst Ashley Madison sold a service to its users which promised secure deletion of their personal data, it seems in reality that it did not completely purge all of that data from all systems. This highlights the challenges that organisations face when handling personal data which may be distributed across disparate systems, and further reinforces the need for strategic and systematic thinking when approaching the security of that data.
As businesses collect and hold personal data they have a duty of care to protect that information against a wide range of threats, whether it is a malicious insider ( as may be the case here), an external attacker or accidental release. Band-aids don’t work and businesses need to take a broader, more strategic approach that aligns different functional areas toward the common goal.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.