On August 19, 2015, hackers shared account details, including credit card data, of 37 million users of the Canada-based online dating and social networking service Ashley Madison, a service marketed to people who are married or in committed relationships. After less than a week, scammers were already targeting Ashley Madison users, claiming they could remove their information from the site or using the information to publicly shame them. While 37 million users are scrambling to distance themselves from the site, there are a number of lessons here that we could all do well to learn.
- Even if you’ve never been to Ashley Madison, you could be a target. This breach was a welcome windfall for hackers who prey on the doubtful and curious. If you get an email inviting you to check if your email was on the Ashley Madison site, ignore it.
Why? Because when you enter your email address at the online site, it will confirm that you have an account (whether you do or not). Then it will helpfully disclose how you can remove your account by providing more information. In a moment of panic, you might provide that information, plus money or bitcoins, to remove the account without even knowing the legitimacy of the site or source.
- “QWERTY” and “12345” are not recommended passwords. One security expert tried to crack the passwords of 4,000 Ashley Madison accounts and found that nearly 10 percent were “12345,” “password,” “abc123,” or “qwerty.” Your account will be safer if you have a more powerful password that has at least eight characters, is alphanumeric, and contains one special character. Or you could use a passphrase, such as “My dog Buddy weighs 50 pounds!” versus words alone.
- Company email is not safer than home email. It’s one thing to risk a personal computer, but when people use a company email to register for non-business sites, they could put that company at risk. Imagine if the CEO of a company used his work computer to access Ashley Madison. Scammers will not only target the CEO but also the company and thereby its clients. This also applies to government agencies; there were 15,000 .gov emails registered on Ashley Madison.
Here’s what you need to know
Given that sobering statistic, what do organizations need to do? First, they need to determine their level of exposure. Did any employees use organizational email to access the site? They also need to remind employees to not use company email addresses for non-business use. Companies that collect private and sensitive data need to be diligent to protect that data. Organizations should ensure that their sensitive and private data is encrypted, and they should periodically have ethical hackers test their systems from external and Internet sources two or three times a year. Taking risk mitigation measures in advance of a breach will help identify vulnerabilities and patch them before hackers can get to them. And, if all else fails, it’s critical to have an effective incident response plan developed to address a cybersecurity incident when it happens.
Nothing is secret on the Internet
Sooner or later, everything on the Internet will be in the public domain. With every action you take, think of the consequences if it were shared with others. As a wise woman once said, “Privacy and the Internet? That’s an oxymoron!”