Secrets and Lies: Corporate data security lessons from the Ashley Madison hack

Maureen O’Neill is Senior Vice President, Discovery Strategy, at DiscoverReady. She can be reached at





Many people followed the news about the data breach with a mix of prurient interest, schadenfreude, and – for some – fear of personal exposure. My colleagues at DiscoverReady and I followed the news to understand the data security failures that allowed a breach of this severity, and the lessons that could be learned and shared with our clients.
To recap:, which touts itself as the premier website for married people seeking partners for affairs, suffered a headline-grabbing data breach earlier this year. Hackers stole account information and payment transaction details for more than 35 million members of the site. When the corporate owner of refused to accede to the hackers’ demand to shut down the site, the hackers posted the stolen data online to the dark web. The data included users’ names, mailing addresses, email addresses, phone numbers, passwords and partial credit card numbers. The data dump also contained users’ profiles, which included descriptions of what they were seeking in an affair partner (“I’m looking for someone who isn’t happy at home or just bored and looking for some excitement,” wrote one member).
Here are some observations on the data security implications of this breach.
Individualized Assessment

Beauty is in the eye of the beholder. And so is the sensitivity of data – at least in terms of which data are worthy of security measures more rigorous than the minimum required. (Those minimum requirements might be set by statute or regulation, by contract or by established industry standard.) At, the company apparently considered passwords and credit card numbers sensitive enough to warrant additional protection. Passwords were encrypted (although not effectively; more on that below). And credit card numbers were truncated, so the database stored only the last four digits. But remarkably, given the website’s purpose, the company did not believe that its users’ names and contact information merited such additional protection. Nor did it take any extra steps to safeguard the highly personal, soul-baring content of its members’ profiles.

Every organization possesses sensitive data of some kind. But what’s highly sensitive to one company might be ho-hum to another. Would volunteers registered with Habitat for Humanity be outraged if the charity’s IT systems were breached, and their names, along with information about the types of home-building projects they prefer to work on, were released to the public? Of course there would be cause for concern over the fact of a breach, but I doubt any of those volunteers would lose sleep because they were associated publicly with a respected charitable organization. But in that same hypothetical, what if the breach revealed the names and financial status of low-income families helped by the charity? Those families certainly would expect the organization to secure that information more zealously.

Every organization should conduct its own individualized risk assessment to identify its most sensitive data and create a triage-based system for protecting information. A company can’t take every conceivable measure to protect every piece of data – principles of proportionality come into play, and risk mitigation must be balanced with cost and efficiency of business processes.

Protect-in-Place Strategies

In today’s environment, it’s not a matter of if a company experiences a data breach, it’s a matter of when. Traditional data security measures, which rely on physical infrastructure and process controls to prevent breaches, are not enough anymore. Because those measures leave organizations vulnerable to attack, other types of protection should be incorporated into a robust data security program. One such solution is a protect-in-place strategy, also referred to as a data-centric approach. Using this approach, data are masked, encrypted or tokenized, so even if hackers gain access, the information is unreadable and therefore useless. tried to employ a protect-in-place strategy for its password data using data hashes. The company masked passwords using the bcrypt hashing system, implemented with a cost factor of 12, which would have been a highly secure, virtually unbreakable authentication check method. However, a subset of the passwords and logins were processed using the far less secure MD5 hash method before being passed through the bcrypt system. Once the stolen data were released to the web, data security experts (and some hobbyists) set out to break the password encryption. It didn’t take long for them to crack the MD5-hashed process, and once that happened, the decrypted passwords essentially provided a key to unlock the bcrypt encryption. The end result? Most of those encrypted passwords have now been decrypted.

So even a protect-in-place strategy isn’t enough if it’s not deployed correctly. A recent blog post at Ars Technica about the password decryption aptly observed, “a single misstep can undermine an otherwise flawless execution.” Companies need true experts to help design and implement data security measures, and those measures should be revisited frequently to ensure that they remain state-of-the-art. And as noted above, the efficacy of these protections must be weighed against their business cost. Not only can these tools be expensive, but they also impact business operations by slowing down the flow of data and the speed of transactions and by restricting access to information. Companies face tough choices about which data are sensitive enough to merit additional protection – and which are not.

Keep Your Promises faced criticism for more than just the fact of the breach. The company made promises to its users and the broader Internet community that apparently it failed to honor, resulting in a blow to its reputation – and a flurry of lawsuits.

First, there was the hubris. According to Robert Scoble, a technology evangelist currently working as the futurist at Rackspace, a representative of reached out to him looking to set up an interview with its president and CEO, Noel Biderman (who later stepped down in the wake of the hack). The purpose of the interview? To explain how had become “the last truly secure space on the Internet” and why “companies need to take every measure to ensure the security of their customers' data.” Oh, the irony. Here’s a look at the message to Scoble:


Second, marketed an extra security feature to its members: For an additional fee of $19, users could sign up for the full-delete service, which promised to completely erase the user’s profile and all data associated with the user. According to the hackers (and as alleged in several lawsuits), the company did not in fact delete data as promised. Indeed, in their manifesto to, the hackers pointed to this alleged fraud, which the hackers claim netted the company $1.7 million in revenue in 2014, as a motivation for their hack. 
So what’s a responsible company to do? There is no “easy” button for effective data security. But if an organization acts reasonably and thoughtfully, hires smart and creative people, devotes appropriate resources, and learns from everyone’s mistakes, it minimizes the risk of a catastrophic data security failure. But whatever you do – don’t claim to be the last truly secure space on the Internet.
Other Topics: 
Data Privacy
Web Topics: 
Cybersecurity & Privacy