Recently, the world was shocked by the embarrassing details released after the data breach at Ashley Madison. In addition to the site’s members being embarrassed, hackers also exposed the personal data of millions of users. This breach was ripe for the tabloids and became news for many water cooler discussions. At the same time, it provided a real-time example of how consumer breaches can and do impact corporate security and business operations (beyond the embarrassment).
The first and most obvious lesson learned from this data breach is that if you use a weak password on a consumer website, even if that site employs good encryption technology (Ashley Madison used bcrypt to hash its users passwords), those passwords can still be cracked and exposed. In less than a week, more than 4,000 of the Ashley Madison passwords had been cracked. Worse, 1,191 of those passwords turned out to be unique values, and the hackers are likely working to identify additional user accounts related to those email addresses.
So how does this apply to the enterprise? It illustrates that even a breach unrelated to a company can expose details that put the company at risk. Research shows that employees reuse passwords on both work and personal apps, creating an easy way for hackers to gain access to corporate apps when personal apps are breached.
After the Ashley Madison breach, SailPoint did its own research around the exposed credentials, and realized that some of our customers had employee emails published. This was particularly concerning if those employees used the same password for work and personal apps, because then our customers’ systems could have been compromised by hackers. We were able to notify those organizations, who in turn forced automated password resets to be executed to mitigate their risk of exposure.
In order to ensure that consumer-facing breaches don’t have corporate effects, it’s imperative to educate employees on the importance of not reusing passwords across multiple apps, and it’s critically important to have an IAM solution in place that can provide automated password reset capabilities and help to govern password usage as part of a larger identity governance strategy.
The second lesson emphasizes the importance of proper handling of personally identifiable information (PII). In Ashley Madison’s case, no information apart from the password hashes, was encrypted. This resulted in user addresses and credit card payment information being published. Beyond the personal embarrassment, the company is now responsible for exposing all of its members to identity theft, or worse. Unlike the Target breach, in which the hackers stole the PII and did not publish it, the hackers dumped all of the data onto several well-known hacker data sharing sites. This opened the abuse vector to just about every script kiddie on the Internet, vastly increasing the potential of future exposure and impact.
The take away here for the enterprise is to always encrypt personal data. Had Ashley Madison used encryption for all personal data, things may not have turned out as badly as they have. Whether you’re storing Social Security Numbers, banking details, or other sensitive customer information, any PII should be encrypted.
A final lesson from this breach is that every organization needs to constantly evaluate their risk posture. Data breaches like Ashley Madison serve as an important reminder to educate employees through security awareness training and test internal response procedures in preparation for a potential data breach. Data breaches are here to stay, and enterprises must remain vigilant in how they prepare and respond, as well as how they protect their employees, data, infrastructure, and the data they manage on behalf of customers and partners.