The fact that rogue actors can compromise systems with impunity, should send shivers down our spines.  Lately, systems at Ashley Madison, the Internal Revenue Service (IRS), the Office of Personnel Management (OPM), Anthem, JP Morgan Chase, Ebay, Adobe, Home Depot, Target and a host of other organisations have been compromised - exposing personal, financial and biometric data belonging to hundreds of millions of individuals and government employees and contractors.

The severity and frequency of such hacks shows us how vulnerable organisations and individuals are, in a highly dynamic and complex Information Technology (IT) and Data Management environment.  Click here to see a visual representation of the world's biggest data breaches.

There are very serious implications for registered users of Ashley Madison due to the exposure of their personal and financial data, but there are major implications for each of us too and the organisations we work for.  

I would like to share some lessons learnt from the latest expose.

Forget Ashley Madison, for a moment, and replace it with: medical records. Your full income tax returns. Your inbox.

The hackers, known as the Impact Team, went after Avid Life Media because of the ineffectiveness of its $23 Full Delete service. They demanded that Avid Life take down Ashley Madison or they would release the data.  Users paid the fee to be permanently deleted from Avid Life Media’s systems; however, as customers paid using credit cards, all of their details, including their names and addresses, reportedly remained in the database.  

After analysing the details of this particular case, I've developed the following scenarios that Avid Life Media was dealing with and the lessons learnt, which apply to all individuals and organisations:

Lesson #1 - The threats weren't taken seriously and Avid Life Media considered them a hoax.  

Recommendation #1 - Take cyber threats seriously and address Cybersecurity as part of your overall Enterprise Risk Management program. Sensitive data is a prime target of rogue actors, due to its value and the damage its compromise causes to state actors, organisations and individuals.

Lesson #2 - Avid Life Media had no idea where sensitive data was stored within its Data and IT ecosystem and hence was unable to purge it from its systems.

Recommendation #2 - This is a very serious Data Governance failure on their part.  Any organisation that deals with sensitive data has a responsibility to properly manage and secure it.  Organisations must do the following as standard governance practice:

Implement a Data Portfolio Management strategy: You can't secure data, if you don't know that you own it and where it is located within your complex data ecosystem. Therefore, organisations have to maintain an inventory of the different types of personal, financial, bio-metric, and banking data they possess and the sensitivity associated with each type (e.g. Regulated, Confidential or Public Data).  Data Governance and Metadata Management tools support this capability,

Document access control policies related to each type of sensitive data - who can access it, under what circumstances and ensure that all systems implement them.  Regularly review policies, to ensure that they are current and conduct automated internal audits to verify compliance,

Document the location of all sensitive data within its IT and Data ecosystem, regardless of whether the data resides within its firewall or is stored in the cloud.  Data Discovery tools can be used to facilitate the identification of sensitive data and Metadata Management systems can be used to store the results, and

Implement automated audit and reporting capability that can monitor access to sensitive data and identify unusual behaviour.   This requires close co-ordination between the Data Management, IT, and the Information Security teams. Database and server log monitoring tools combined with sophisticated analytics, can be used for this.  

Lesson #3 - Avid Life Media was led to believe by its internal staff and consultants that sensitive data was secure.

Recommendation #3 - An organisation's IT and Data ecosystem is like a very large palace with hundreds of doors.  All it takes a thief to get into the palace and steal the crown jewels, is a single door that is left unlocked accidentally or purposely, by a staff member or third party.  

Some organisations get complacent and drop their guard. It is naive for an organisation to believe that its systems can't be compromised and that its sensitive data is secure - regardless of how robust it thinks its defences are. 

All a hacker needs is access to a single open port, inside information from an insider that has turned rogue or information to unlock systems (e.g. Passwords, VPN tokens, etc.) that can be acquired on the Dark Web. Being vigilant, proactively identifying unusual activity that is targeted toward sensitive data and addressing it appropriately, is the best solution.

Lesson #4 - The firm was operating in departmental silos.

Recommendation #4 - Organisations can't afford to keep operating in silos.  Transparency, collaboration and constant communication is required between internal departments (e.g. Chief Information Security Office, Chief Privacy Office, Chief Information Office, Chief Data Office, Regulatory Compliance, Risk Management, etc.) and external parties (e.g. Vendors, Competitors, Intelligence Agencies, etc.), to share information, discuss risk mitigation strategies and apply the necessary checks and balances. Read more about this in my post titled "Re-thinking Information Security and Data Governance".  My firm has implemented this framework at several clients, with excellent results. 

The IT and Data ecosystem is constantly evolving, which creates gaps and vulnerabilities that provide opportunities for bad actors to compromise data.  

Organisations have to take the following 6 multi-pronged approaches to address such risks -

• Implement strong data governance in conjunction with their IT governance and Information Security processes,
• Ensure compliance with data related policies and procedures,
• Proactively monitor activity and flag abnormal behaviour, especially as it relates to sensitive data.  Insider threats are becoming a major issue lately and are harder to isolate,
• Secure sensitive data using encryption and other techniques,
• Integrate Information Security with Data Governance activities and conduct spot audits, to identify weaknesses, and
• Share notes and co-ordinate activities with other organisations and intelligence agencies, and take preventive measures.

The bottom line is that we are living in a highly sophisticated world, where technology continues to evolve and is getting extremely complicated.  Sensitive data is flowing between servers, desktop computers, mobile devices and all over the ether, between third parties.  Most of the transmission and handshakes are based on trust.  Therefore, we are as secure as the weakest link in this Information Supply Chain.  

Now that I've discussed the lessons learnt from the Ashley Madison expose, it is time for you to assess the security of your personal data and sensitive data stored in your organisation's systems.  Is your personal, financial and biometric data secure? Has your organisation learnt the lessons from the Ashley Madison expose? If not, then its time you did something about it. You don't want to see your personal data or sensitive data stored in your organisation's systems, splashed all over the Internet.  

Update #1 - Sunday, August 23, 10 pm Eastern Standard Time - I just read that Ashley Madison is facing a C$760m ($576m; £367m) class-action lawsuit by its Canadian customers,  for failing to protect their data. Its reputation has been tarnished and its now facing legal challenges, that will severely impact its bottom line.  

Update #2 - Monday, August 24, 9 am Eastern Standard Time - Received a BBC news alert on my mobile phone, stating that two Ashley Madison Canadian customers have committed suicide, after their information was published on the internet. Can you imagine the stress that these two individuals went through, that caused them to take the extreme step of committing suicide?  This single expose is wreaking havoc on individuals and their families.  How does one assign a dollar value to someone's life? 

Update #3 - Tuesday, August 25 - Eight people across the U.S. who registered to use Ashley Madison are suing the website, for not protecting their financial data and sexual proclivities.  The lawsuits were filed between last month and Monday by Ashley Madison users in California, Texas, Missouri, Georgia, Tennessee and Minnesota. They all seek class-action status to represent the estimated 37 million registered users of Ashley Madison.  The lawsuits, which seek unspecified damages, claim negligence, breach of contract and privacy violations. They say Ashley Madison failed to take reasonable steps to protect the security of its users, including those who paid a special fee to have their information deleted.

Update #4 - Wednesday, August 26 - I just read an article that Ashley Madison users are now facing extortion attempts. Spammers are trying to use an anonymous email service to target victims of the Ashley Madison hack. 

Update #5 - Friday, August 28 - I found out this morning that Noel Biderman, the high profile CEO of Ashley Madison's parent company Avid Life Media has resigned. The saga continues.

All this could have been avoided, if Ashley Madison had done the right thing by deleting personal and financial data of customers that paid for its Full Delete service, bolstered its data governance and information security, proactively monitored unauthorised access to sensitive data and implemented a Data Portfolio Management strategy. 

Unfortunately, there are no "Silver Bullets". The best way for organisations and individuals to mitigate risks, is to learn from previous attacks and implement the recommendations I've outlined above.

Go forth and conquer!

Jay Zaidi is Founder and Managing Partner of AlyData - Big Data and Cyber Security Experts