We’ve touched on the issue of online privacy in previous posts, but recent data breaches once again hammer home the fact that virtually no information online is safe from exposure. The key lesson for security executives? If your company experiences a hack that exposes sensitive data, it could lose the trust of valued customers and business partners.
One of the more recent data breaches that attracted lots of media attention was the attack on Ashley Madison, a Web site that encourages spouses to cheat on their partners. The site was hacked and its 37 million clients were vulnerable to having their data leaked online by a group called the Impact Team.
According to reports, the group threatened to release a huge amount of data from Avid Life Media (ALM), which owns the site and related properties. This data is said to include client names, addresses and credit card transactions, as well as employee documents and emails.
ALM released a statement saying “we were recently made aware of an attempt by an unauthorized party to gain access to our systems. We apologize for this unprovoked and criminal intrusion into our customers’ information. We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. At this time, we have been able to secure our sites, and close the unauthorized access points.”
But the damage was already done, and this is a prime example of why Internet users can never assume that their data will remain private once it’s been turned over to an online business of any kind. With regard to this particular business—moral issues aside—whatever trust it might have garnered from clients in terms of data privacy was likely shattered.
Other, similar types of data breaches are almost certain to follow, simply because there are hackers out there who know how to do it and have the motivation. In the past, it seemed like most data breaches were driven by monetary goals; people wanted to gather credit card information or steal identities so they could purchase things using someone else’s money.
Now, breaches are not just about profit. They can be motivated by political, moral, philosophical or competitive grounds, and criminal hackers have been joined by hactivists and others who might be trying to make a point, exact revenge or make an organization look bad in front of the world.
Regardless of the driving factors, data breaches have the potential to expose countless records including personal information that people will likely not want to make public. This makes doing online business more risky for individuals, and could make people think twice about sharing details about themselves with organizations on the Web.
Sites built on the concept of privacy are especially vulnerable to issues of trust—or the loss of trust—when they are compromised. Any business that is based on protecting the privacy of its clients and then suffers a hacker attack that exposes data is likely to fold under the weight of its failure to protect that information.
For consumers, the message of these data breaches is clear: assume that the security and privacy of any service you use online actually has imperfect and vulnerable security and privacy. It’s a “buyer beware” warning for modern times.
Getting back to how all of this ties in to corporate data security, without extremely robust safeguards in place, companies risk having their customers’ and employees’ data fall into the hands of nefarious actors.
When a company is breached, its customers stand to lose a lot because they are putting their personal information on the line: not just credit card numbers, but in some cases deeply personal information that they would want to remain private.
In some cases, the business is the customer data, so imagine the damage done when that data is exposed to hackers. Trust goes out the window, and customers likely walk out the figurative door, never to come back.
There is always a relationship between a company and its customers, and a good part of that relationship is about trust. Yes, following the Target and Home Depot breaches, shoppers still returned to buy waffle makers and lumber. For more consumers, the breaches were a news item, not necessarily something to worry about.
But what if those breaches exposed what items people bought and when, their home addresses? What if the breach takes place at a business that is built on the idea of privacy? If we think about what we post online, we have much more to lose than credit card data. That data has immediate value, but our identities—and privacy—have more value.