Ashley Madison data leak: Industry reaction and analysis

Today it emerged that the hackers who stole customer data from dating website Ashley Madison leaked the information online, exposing the personal information of millions of people.

Various industry professionals have responded to the news, the comments can be found below.

Corey Nachreiner, CTO, WatchGuard:

"What is alarming about this data breach is the sheer scale of the compromise, which included the company’s entire infrastructure. The danger here would be to condone this kind of Robin Hood vigilante behaviour because of the ethical code of the site’s users. The reality is, information stolen could lead to any number of hackers extorting money and blackmailing users for the rest of their lives.

"Ashley Madison claimed to have stepped up their network security following the initial attack. But this ignores the fact hackers have had access to an enormous amount of data for some considerable time, which is another red flag for companies who store valuable data. Businesses should assume they have already been compromised when putting security in place since you can never have perfect defence. Organisations must implement discovery-and-response tools so that they can immediately see and handle the incidents that get past their gates.

"It is a reminder that cyber criminals may be hacktivists with social agendas who want to disrupt day-to-day business or organised criminal groups going after your customers’ financial or personal data – or in this case, both. At the route of these exploits, I am reminded of the advice I regularly give to kids. At a very basic level, do not put anything online you wouldn’t be happy to see on the front page of news on your grandmother’s coffee table. The internet is forever, no matter who you trust with your data."

Luke Brown, Vice President & GM, EMEA, India & Latam at Digital Guardian:

“If ALM were trying to call The Impact Team’s bluff then it seems to have backfired pretty spectacularly. While the data has only been released on the dark web for now, it will inevitably find its way into more mainstream channels over time, resulting in very public naming and shaming for Ashley Madison’s members. Perhaps even more embarrassing for ALM and Ashley Madison is the disclosure of the fact that a significant proportion of users on the site are fake, bringing into question the credibility of the website as a whole.

"For sites like Ashley Madison, data is its lifeblood, so why was it not better protected at the source? It’s not just Ashley Madison that’s guilty of this though. Recent reports from Gartner and Forrester show that between 2010-2014, an average of 41 per cent of security investment went on network (perimeter) security and only 1 per cent on actual data protection.

"In this same time period the number of major global data breaches has nearly tripled. Had a more data aware security model been in place, ALM could have prevented much of this data from ever being taken, either by hackers breaching perimeter defences, or someone on the inside trying to remove it. As it stands, it looks like it’ll be quite a while until this sorry affair reaches its conclusion.”

Patrick Peterson, CEO of Agari

"It will now be critical for Ashley Madison to continue being open and honest with its customers and the public. Either they can control the narrative, or the criminals can control the narrative.

"In today’s connected age, where data breaches are inevitable, every minute matters. As part of response plans, it’s imperative that businesses are prepared to be upfront and transparent right away. Something that is especially important for a brand like Ashley Madison, who’s entire business model was built on the premise of guaranteeing users anonymity.

"It’s also important to remember that the one-two punch of a data breach means that further damage could still come. Every publicised data breach becomes another chance for cyber criminals to target victims with spam or phishing efforts in an attempt to steal personal information.

"This means crisp, clear messaging with the appropriate balance of confidence and contrition is imperative. For Ashley Madison it also means choosing a secure channel of communication, such as email, to communicate with customers and introducing security controls that monitor for any authorised communications referencing the brand that put customers at further risk."

Gary Newe, Technical Director, F5 Networks:

“The news of this hack only shows how the rate of data breaches are showing no signs of slowing down. Is it even possible to keep our online data secure? If you haven’t been targeted yet, you’ve been lucky. But if organisations don’t act now, hackers will continue to find new ways to compromise their systems and steal their data.

"Unfortunately, there is no silver bullet to solve the issue so many are now facing. However, organisations should start by looking at what they’re trying to protect and what it is hackers might be looking to compromise. Increasingly, the vectors of these attacks are multi-threaded. For example, while a DDoS attack might be ongoing, it is often designed to distract the security and IT team whilst hackers attack your applications surgically elsewhere to gain access to your data.

"It has been interested to see how the industry is split around the morals of this hack. Regardless of your views on Ashley Madison’s customers and the service, this is an unacceptable breach of online privacy. If we start separating hacks into those that are acceptable and those that are not, where does it stop?

"If we want to keep businesses and consumer data safe from hackers, we need to be on the same side of the fence, rather than deciding whether a hack is moral or not."