Ashley Madison Hack: Reducing Cyber Risk
Jul 28, 2015
Since the hack, most of us are now familiar with Ashley Madison, the international dating website that connects married people who are looking to have an affair.
The site was hacked by a group that calls itself “the Impact Team”. Many people lack sympathy for those that subscribed to this website and the resultant hack because of its controversial nature. But if we look at the principles behind the hack and its implications for the business concerned, there are many points that we can all learn from. We probably should not be too quick to judge.
The Impact Team claims that it gained access to the site’s database and made a release of 40MB of data, including user credit card details and company financial information. Of most interest to both the users of the site and people who are interested in cyber security is that the release was accompanied by a manifesto which threatened to release users’ personal information if the site was not shut down.
Just three months before the attack, Ashley Madison announced plans for an IPO with a view to raising $200 million on the LSE. Analysts have now suggested that Ashley Madison may scrap its plans for this share flotation. The timing of this hack is hardly a coincidence!
Similarly, Apple’s iCloud storage system was hacked last year and nude pictures of celebrities appeared online. Apple said that there were no breaches in their systems. But a recent Daily Mirror investigation found a 300% rise in reports of "victims being humiliated or threatened with intimate photos taken from iCloud" by hackers.
Whilst new enactments in legislation may deal with the after effect of such hacks, what lessons have been learnt over the past year to reduce the likelihood of such attacks?
CYBER RISKS TO UK BUSINESSES
The attacks on Ashley Madison and Apple iCloud (to name but a few) serve as a warning to all businesses with an online presence. Cyber-attacks are becoming increasingly frequent and can cause a variety of losses to UK business, including:
- claims by data subjects for different types of losses;
- loss of IP and confidential information;
- fines by the Information Commissioner's Office and other regulators; and
- damage to business and reputation.
Hackers are determined and motivated and will always work their way through your site, especially if they have a point to prove or the target of the attack is likely to “make” them, either financially or in terms of their reputation. But you can reduce the risk of an attack by following certain practices, for example:
Be aware that hacking exercises take place, on occasion, because of human error from within an organisation. Training for staff is key, as is keeping up to date internal operational policies.
KEEP UP TO DATE
Given the rate of change in technology, businesses should ensure that their hardware, software and knowledge of cyber security issues remain up to date.
PENETRATION TESTING AND CERTIFICATION SCHEMES
A simulated attack will show how vulnerable a target would be to a real attack so do not be afraid to commission one of these. Also, the UK government has commissioned certain schemes which provide useful guidance on how to reduce vulnerability to online attacks and there are often cost effective methods that you can use to demonstrate the strength of your online security.
It is difficult to completely eliminate all risk of a hack, but by following the suggestions above you can at least reduce the threat. Speak to our cyber security lawyers and digital media lawyers for more information.