It’s hard to convince people to hand over their personal data without assurances it will be kept safe; something the founders of infamous dating website Ashely Madison were well aware of.
A website for infidelity and married dating, Ashley Madison promised anonymity and privacy for its millions of users, billing itself as ‘100% discreet’. To access its services users handed over personal information including their names and email addresses, their privacy concerns no doubt eased by the dating website’s message of discretion and security. Except in the world of cyber, every business is at risk—particularly those that hold extremely sensitive, personal information.
In 2015 the worst happened; hackers under the name Impact Team infiltrated Ashley Madison’s systems and threatened to release details of its entire user base to the public. In what can be described as a moral attack, Impact Team demanded the owners of Ashley Madison and its companion site to take both websites offline. The owners refused to comply, and the hackers made good on their threat by publishing the stolen data online.
Navigating the fallout: An alarm call for all tech companies
Almost a decade on, the impact of this data breach is more relevant than ever. As portrayed in the popular Netflix docuseries, the hack disrupted the lives of many of its victims, leading to resignations, divorces and, tragically, suicides.
While names and email addresses are not typically classified as highly sensitive, the nature of the website in question placed greater weight behind the need for privacy. Even users who took precautionary measures when signing up to Ashley Madison, such as using fake names and phone numbers, found themselves exposed as Impact Team published credit card details—with other users able to be identified through data such as their height, weight or personal preferences on the site.
It didn’t take long for cybercriminals belonging to other threat groups to take advantage. Sextortion refers to a highly personalized extortion scam, where the threat actor emails individuals their data from a data breach and claims to possess personal videos or photos which they will distribute unless a ransom is paid. The Ashley Madison breach was the perfect breeding ground for this type of attack, with many of its victims being targeted even 5 years after the breach—not only resulting in the stress of managing a ransom demand, but resurfacing the scandal as a whole.
This entire episode raises critical questions for all types of business—not least tech companies storing user data. Do you manage, store and use data? Are you following the privacy laws? Can you do more to keep data safe?
Cyber security: Why it should be top of the agenda
Unfortunately where user data is concerned it’s easy to run into trouble. Earlier this year company review site Glassdoor was found to have attached real names to profiles without the user’s consent. Again, names are not considered sensitive data. But the context of the website makes this data more sensitive, as users may fear retaliation from an employer should they be identified. While Glassdoor claimed that users can choose to remain anonymous, since the website now requires and stores the names of all users, a data breach could see them being linked to their reviews.
This data risk is everywhere. Grindr, a dating website for the gay, bi, trans and queer community, allows the option for users to share their HIV status with other users. While this is a fundamental step in creating a safe community, it’s not information the that user would necessarily share beyond that context. Grindr are currently facing litigation from hundreds of users alleging the company shared their private information, including their HIV status, with third parties without consent.
Like Ashley Madison, all platform and tech providers that hold personal or sensitive information on clients come with significant cyber risk. These companies need to be incredibly mindful of how they collect, store and use information, following data privacy laws and giving customers confidence that data privacy is a priority.
Mitigating cyber risk: Steps for today’s tech companies
Who can say how many companies that store data know how to protect that data. What’s certain is that cybercriminals are becoming increasingly cunning in their tactics, able to steal vast volumes of data at rapid speed and at big consequences. Ashley Madison faced no financial ransom given the moral motive, yet the majority of data breaches do culminate in a hefty demand. This alone can be a huge burden for any business working alone to bear, and when you consider the additional costs that come with a cyber incident—remediation and recovery, restoring data, legal fees, reputational harm, business interruption and so on—it’s no surprise that for some businesses there’s no coming back.
Data breaches are of course just one type of cyber incident. High-profile cases like the Ashley Madison hack demonstrate this risk, however it’s vital that businesses understand the full picture of cyber risk—with ransomware, social engineering and theft of funds attacks growing in frequency and severity—and take steps to protect themselves and their customers.
That’s why comprehensive cyber cover is a vital part of risk management for all technology companies. If you’re responsible for large amounts of data, including third-party data, cyber insurance can offer robust network and privacy liability protection, also providing cover for a wide variety of cybercrime events. More than that, the best policies also come with cyber security and incident response services that can stop cyber incidents from happening in the first place.
Learn more about how technology companies can tap into market-leading cyber insurance by contacting our technology underwriting team.
