The highest profile data breach since the 2014 series of attacks on Sony, Apple, and EBay, has just occurred.
The Toronto based firm Avid Life Media has suffered an attack by an entity calling itself The Impact Team. As many news sources have been reporting, Avid Life Media are the parent company of many websites that hold highly sensitive and highly valuable personal data, namely the dating website Ashley Madison.
For those who may not know, Ashley Madison is a dating website that very much markets itself as a way for adults to conduct extra-martial affairs. There are complex moral issues, therefore, in relation to the practice of the website and the data it holds.
However from a technical point-of-view in relation to data protection and compliance, this breach once again highlights key issues related to best practices.
The fundamental obligation of all companies: Protect customer data
First and foremost, regardless of debates surrounding the moral implications of the business, Ashley Madison, and indeed its parent company Avid Life Media, have a fundamental obligation to protect the data of their customers.
According to The Impact Team, they have stolen the personal data of 37 million users of the Ashley Madison website.
After the breach the company were quick to make a damage controlling statement: “We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature and scope of this incident.”
But proper data protection is proactive not reactive. It is impossible to safeguard data after a breach. Worryingly the need to be proactive is something that is underappreciated in the business world. Crucially it’s not just a question of technology, it is also a people issue. Educate your employees to protect your customers.
Be aware that past employees can also be a security risk
It’s ironic that one of the biggest internal security threats to an organisation can be someone who is no longer employed by the organisation.
There are some simple steps to take to ensure that past employees do not become a security threat:
• Review network activity for departing employee(s) leading up to the employee’s last day.
• Require HR to review confidentiality and IP agreements with employees who give notice or who are terminated.
• Revoke computer access to departed employees on their last day.
• Utilize an offboarding checklist to prevent rogue access.
• Change administrative passwords immediately following the departure of IT personnel.
Listen to your employees
Sometimes it is the people in the trenches who are the ones that truly understand the strengths and weaknesses of a company.
Several of the leaked internal documents suggest that Avid Life Media was very much aware of the risks of a potential data breach.
In a Microsoft Excel document that served as a questionnaire for employees about challenges and risks facing the company, employees were asked: “In what area would you hate to see something go wrong?”
Trevor Stokes, ALM’s chief technology officer, was certain:
Communication is key in successful compliance practices. Talk to your staff. Ask questions. Listen to their answers. Use that information to protect all those connected to your company. Compliance is an organic process – it is only by engaging with your staff can you continue to be proactive and ensure that your company is one step ahead of the inevitable data attack.