Ashley Madison and Morrisons: lessons learned

When a group calling itself the Impact Team decided to release all customer records, including profiles of the 37 million users of the adultery-themed dating site Ashley Madison, they raised some very serious questions not simply about adultery, but about security for online sites and the retention of personal data.

The company’s Chief Executive Noel Biderman, believed the breach to have been an ‘inside job’ and not the fault of the company’s inbuilt website security. Yet, as the dust settles on the debacle, some uncomfortable truths have been revealed; and not just about Ashley Madison, but about how many websites have taken and continue to take a casual attitude toward the security of personal data, including payment card details.

The Ashley Madison site was engineered and arranged like dozens of other modern web sites, and by following those rules, the company could be said to have made a breach like this inevitable. An example of this is Ashley Madison’s password reset feature. It works just like dozens of other password resets: enter an email address, and if you’re on their database, they issue a link to create a new password. This is standard web practice but that does not mean that it is secure or indeed wise.

Nor is it the only example. Similar points could be made about data retention, SQL databases or a dozen other back-end features.

For far too long, this is how web development has worked: copying features that work on other sites, giving developers a Codebase to work from and users a head start in negotiating their way around. But these features were never built with privacy in mind. The password reset feature, for example, was fine for services like Amazon or Gmail, where privacy is rarely an issue, but for an ostensibly private service like Ashley Madison, it was a disaster waiting to happen.

As the dust settles on the whole debacle, and casting aside any moral or ethical issues about its service, from a website design point of view there were built in errors that had made the site vulnerable from the outset. For example, the fact that the site kept users’ real names and addresses on file. While it is standard practice for many online businesses, making billing easier, it builds in a degree of risk that few users routinely comprehended.

Receiving significantly less publicity was a breach within the Morrison supermarket organisation. Again, this was triggered by an ‘insider’ who held a grudge. The man, who worked as an internal auditor, took advantage of the easy availability of data and leaked sensitive, personal data relating to almost 100,000 Morrisons supermarket staff online. The data breach is thought to have cost the Bradford-based company more than £2m to rectify.

In both the Ashley Madison and the Morrisons case, there was no overt technical failure to blame for the breach, but there was a serious data management problem from the outset, centering on the retention of sensitive personal information.

It is too simplistic to claim that companies should simply stop storing personal data. But it is perfectly reasonable for customers to expect that data is not retained unnecessarily nor in a way that makes it vulnerable to breach. It is not just those with secrets to hide who need data security to be built into the very heart of online business.

Posted 3 years ago on · Permalink