Once upon a time there was a business that decided to make a website and so they did.
They wanted to collect information from their subscribers and why not? They were offering a service that people liked and personal information is a big thing. It is useful for marketing and other stuff right? It works for Facebook and Google so why not a start up?
So the website is made, registration forms collect all kinds of information. Some of it is relevant to the business some of it is not. The registrations roll in and the business expands.
Everyone is happy.
Until one day when someone working within the company has a problem with another someone. The usual procedures are followed and someone is let go.
That someone may not have access but they have knowledge of the weaknesses of the website that was built in a hurry and by the lowest bigger. That same someone also knows how much data is in the companies database.
The company does not know it yet but that massive digital warehouse just stopped being and asset and became a PR bomb. A very big one and the fuse is very short and easy to light.
Within a short amount of time the data is accessed and copied. The damage is now done and everyone at the company is going about their own business oblivious to the threat.
A phone call, email or tweet is issued from an unidentified person or persons demanding that the business comply with demands or this information will be leaked.
Sensitive information that the company promised IN WRITING it would go to great lengths to protect. The PR people blow up as the threat goes public, the company does not shut down right away but the sudden downturn in business and over-zealous class actions cripple the business which is put into receivership and eventually liquidated. Employees spend months trying to get back into work, directors struggle to find work again with the stink of the security breach refusing to clear for a couple of years.
A story like this is starting to unfold for AshleyMadison.com with 37 million people on the books with some VERY private information.
Where did this break down? In my mind it is all about the attitude towards the data that was collected. Sure it is a valuable asset when used correctly but it is also a devastating liability when it falls into the wrong hands. Sure the hacker or hackers are the bad guys but the business is not completely in the clear. Holding information on behalf of your customers is a big deal and if you have no need for it you should not be collecting it and if you do need it you need to treat it like an explosive. Lock it away offsite and encrypted. If you are not in the business of data security then you should not be pretending to provide it unless you are willing to invest significantly in securing your data.
Breaches will happen. You can take that to the bank. The difference is that breaches of poorly protected data does much more damage than properly secured data.
For this reason when clients talk to me about setting up a web store and taking credit card payments in the website I very quickly tell them to leave credit card payments to the experts and to gather and hold as little information as possible.
This latest breach is not going to be the last and the impact on lives will be catastrophic not for the cheaters but the innocent families that can be ripped apart by the revelations and affect the next generation. That is some pretty tough consequences for the operators of Ashleymadison.com to deal with on top of the personal pressure they will no doubt be facing.
We can all learn from this though and view the data we give and the data we collect differently to make sure it is treated with the respect if deserves.