Ashley Madison: latest in a line of embarrassing breaches

If ever there was a site that needed to be seen to take its security seriously, a website offering dating services for married people was it. So when Ashley Madison confirmed it had been compromised, there may have been more than a few million eyebrows raised at the prospect that the stolen data may be leaked online.

On one side, you have Ashley Madison, a website that encourages clients to cheat on their spouses, and operated under the tag line “Life is short. Have an affair.”

On the other, you have the Impact Team who want Ashley Madison and a second site, Established Men, shut down. If their demands are not met, they warned, they will put the data online for everyone to see.

The leaking of sensitive data online is an ongoing problem. But it’s one thing to threaten to leak credit card information; it’s another when that leak will tie you to a site aimed at cheating spouses. That’s not all that is at risk for the 37 million clients of Ashley Madison. The breach also exposed more sensitive data, including intimate photographs that may have been sent through the website.

The Ashley Madison hack adds to a long line of data breaches in the past year. The most recent was eerily familiar: hook-up site Adult Friend Finder suffered a breach only weeks ago, with the details of almost four million users published online.

It's a potential embarrassment for Ashley Madison users and could have repercussions in both their personal and work lives, security consultant Brian Honan said. "It can be used to embarrass individuals, but on an organisational level, individuals could be blackmailed and put the organisation at risk," he warned.

Of particular issue was the fact that Ashley Madison previously charged $19 to remove user data from the site, rather than hide the profile from public view. The practice of charging to remove a profile is not widespread and Ashley Madison has chosen to waive the fee for those clients who want out in the wake of this particular episode.

But users are putting a lot of trust in companies that they will do what they promise when it comes to wiping your personal data. “It’s hard to verify unless you have the ability to go in and perform an audit,” said Mr Honan.

In fact, when it comes to protecting security, a lot of it is out of the individual users’ hands when they are using online services.

Anyone using such services - whether it’s dating websites, online shopping or even social media - has to put a certain amount of trust in the organisation with which they are dealing: trust that they will have adequate security measures, and trust in the employees and workers who come into contact with your data. Ashley Madison’s parent company is already talking about the possibility of an inside job.

Dermot Williams of ThreatScape said the “insider threat” can be significant. “It’s not just about malicious insiders but also careless ones,” he said.

In the case of Ashley Madison, it’s a case of closing the stable door after the horse has bolted. However, there are some steps you can take to minimise the risk of getting caught up in any future breaches.

Knowing what you’re agreeing to is a start. Mr Honan warns users should look at the terms and conditions and the privacy policies of sites when they’re signing up to see what the site does with your information. He also recommends that you do a regular review of services you are signed up for and remove your information and profiles from those you no longer need.

Only handing over information to reputable sites will also lessen the risk, although it won’t eliminate it totally.

But the most obvious, and probably most effective, is not to put anything online you wouldn’t be happy with seeing on the front page of a newspaper. Treat each website as potentially hackable and act accordingly.

“At the end of the day, think twice about putting something potentially damaging online,” said Williams. “Digital footprints are set in concrete.”