Ashley Madison: The Real Cost of Stolen Data

When I first got involved in the somewhat dour world of PCI DSS some ten years ago, reputational damage was always touted as one of the principal drivers for businesses to willingly embrace the requirement. All presentations on the subject asked the rhetorical question, ‘do you don‘t want your companies name plastered all over the Daily Mail for losing your customer’s credit card details?’

Audiences sat impassively, hoping that it was a case of safety in numbers. ‘Chances are it won’t be me’ they would have been thinking, after all at this time such stories that made the news were few and far between.

For many, the obscurity of their business meant that even the most creative journalist was unlikely to be able to create a story that would get close to the front page of the local paper.

Then TJ Maxx gets compromised.

The ‘big one’ finally occurred when TJ Maxx, the US parent of our TK Maxx, suffered a huge compromise back in March 2007.

This was the long forecast ‘game changer’ which would prove to be the ‘wake-up call’ to the world. The story did make the front page of The Times and there was significant financial fall out to the victim. That said, they clearly lived to fight another day, and to anyone outside the industry the incident is now confined to the annuls of PCI DSS history.

Since then we have seen more big stories, mostly affecting established, customer present merchants, be they retailers, restaurants or hotels. In most recent cases, such incidents will have caused significant corporate discomfort. However, by and large their physical presence and firmly established brands have enabled them to ride out some fairly significant storms.

Ashley Madison is a different matter.

Setting aside the niche that it has carved for itself, it is first and foremost an on-line brand. Its entire business model is built around the confidentiality of, and discretion with which, it uses its subscribers data.  Whilst not a USP in its own right, without this ‘trust’ the brand could be fatally holed beneath the ‘water line’.

What we are seeing here is what was being predicted all those years back when PCI DSS was first introduced. Whilst payment card details could be an element of the compromised data, in a rather ironic way, this is the least of their problems. Whilst PCI DSS dwells on one ‘digital asset’ it is increasingly being recognised by that cyber security must extend to the vast array of personally identifiable information (PII), intellectual property and otherwise proprietary data that constitutes todays online businesses.

We are now operating in an environment where sentiment oscillates wildly. Stratospheric growth can be followed by catastrophic decline all at the whim of various social and mainstream media channels upon which many of us now base their opinions and buying decisions.

The website is the business.

If the website is undermined in any way shape or form (either technically or via human involvement), there can be little to fall back on. Failover technology does little to assuage hard earned loyalty if trust has evaporated overnight.     

Whilst the forensic investigators pick their way through the evidence, the victim limps along in damage limitation mode. If not already known, the root cause will soon be established and as we so often hear these days ‘lessons will be learnt’.

Many will be beefing things up as the story develops, crossing their fingers and contemplating ‘there but for the grace of god go I’! Many of today’s e-commerce businesses would not have been around to experience the early utterances on PCI DSS, the ‘crystal ball gazing’ that foresaw reputational damage, but perhaps not to the extent we have witnessed this week.   

To find out more about how to secure your website's data, visit www.foregenix.com/fgxweb.php

Learn more:

- A Forensic Investigator's thoughts on the Ashley Madison Hack

- 11 Steps to Improve your Website Security