The Long Tail of Ashley Madison

There is no reasonable expectation of privacy in the 21st century. The implications of the Ashley Madison hack and others touch on the very nature of cybersecurity and how enterprises need to conduct corporate “relationships” moving forward. It also reinforces our position on long-tail risks as we move into the “majority digital” era (See Digital Trust and the issue of Mass Risks at Scale) and the need for a Chief Risk Officer.

The Attack

Since the July hack of “adult affair” website AshleyMadison.com over 30 salacious gigabytes of personal data on over 30 million extremely identifiable men (and the occasional woman) has been released, as has the bulk of Ashley Madison’s source code and its internal email correspondence. Its losses include subscribers, revenue, a CEO, and an exit strategy as well as incurring a half-billion dollar lawsuit. At the end of the day, this is a dead company.

In turn, Ashley Madison’s users have lost their reputations, relationships, and more while the full potential impact of this hack is just beginning.

The Risk

Today’s digital economy is really all about personalized data and organizations world-wide are willing to pay for information that helps paint a more complete digital portrait of an individual – or a company.

The potential “long tail” of Ashley Madison lies in the possible combination of this extremely detailed, and now public, information together with information from a user’s social graph, credit card, travels, medical records, or perhaps their employment.  Corporations, governments, and hackers are increasingly adept at finding, and combining, personal data creating new risks for all.

Ultimately, the targeted use of this data may come from an unexpected source down the road. The question is, will this combined information make an individual a better marketing target or a better blackmail target?

The Enterprise Challenge

Enterprises need to recognize personal and corporate secrets are often not that different – we all have things we’d rather not publicly share. Just as some individuals trusted Ashley Madison, corporations routinely trust their partners, providers, and others with extremely sensitive information.

It’s clear the frequency, sophistication, and coordination of global cyberthreats is increasing, as is the level of cumulative information being purloined and re-sold on a daily basis which can be used to damage a brand, create an economic/business advantage, or extract a pound of public flesh.

Evolving, long tail threats are moving well beyond the normal role of the Chief Information Security Officer (CISO) and into the emerging role of the Chief Risk Officer (CRO) – a role that can ensure an extended-enterprise perspective on risk.

The Actions

We recommend enterprises consider the following actions:

• Ensure that the role of Chief Risk Officer is being filled and involved in the assessment of process, partnership/sourcing, cybersecurity or Managed Security Service efforts.
• Recognize data privacy is not guaranteed and re-evaluate security and information policies regarding how/when information is stored with third parties—this includes evaluating the cybersecurity and risk mitigation strategies of service providers and partners.
• Implement real-world stress testing of cybersecurity systems (especially those that meld analog and digital threat scenarios with motivational factors).
• Educate employees on the value of work/life separation (especially with regard to personal email and BYOD mobile, wearable, and laptop devices as the collection of personal and #IoT data continues to both expand and remain relatively unsecure).