When a cyberthief attacked Ashley Madison a dating website for cheaters with the stated goal of demonstrating that the sites mechanism for deleting customer data didnt work, it sent a signal that should be heeded by any company that handles sensitive data.
In its marketing, Ashley Madison acknowledges that its clients may want to cover their tracks, and promises to help them do so for a $19 fee. In exchange for this payment, the dating site promises to remove the user's personally identifiable information, but "users' purchase details including real name and address aren't actually scrubbed," according to the attacker's message, as quoted by KrebsOnSecurity, which first reported the news of the breach.
Ashley Madison's business model may have made it an appealing target, but the technological problem it faced applies just as well to any company that handles sensitive data, including payment card data. Merchants that consider services promising to encrypt their data or remove it from their networks must also figure out how to dispose of any older data that these systems may not be aware of.
The breach that Heartland Payment Systems disclosed in 2009 is one of the clearest examples of this type of risk. The payment processor had passed repeated audits that validated its compliance with the Payment Card Industry data security standard, but those audits overlooked data on non-payment systems, such as card account details that employees had carelessly stored on their own computers.
As Robert O. Carr, Heartland's chairman and chief executive, told American Banker in 2009:
"That's been a real eye-opener," he said. "Anybody that has a data-loss prevention tool will be surprised in how many different places card numbers can wind up, especially in a corporate environment where you're doing a lot of servicing."
Though this data was not involved in the breach, Carr said that the improperly stored account numbers are the kind of vulnerability that a PCI audit would not find yet could be exploited by thieves.
Heartland found this data by using an application from Symantec Corp. called Vontu, which scanned its systems for improperly stored data. It's not clear whether Ashley Madison uses similar technology when it performs a "full delete" of customer data.
Ashley Madison describes the "full delete" service as "a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes," according to a statement provided July 20, and the company is now waiving its fee in the wake of the breach. But whether the company calls it a "full delete" or a "hard delete," it doesn't define the term in any more detail, and the company did not respond to a request for clarification by deadline.
It's actually very difficult in most operating systemsespecially Microsoft Windowsto completely delete anything, as "deleting" a file simply means the operating system removes it from view until that portion of the hard disk gets overwritten with another file. Unless Ashley Madison is physically destroying every hard drive that customer's data has touched, a "hard delete" is a hard promise to keep.
In the example of Ashley Madison, the attacker was more interested in shaming the company than profiting from its compromised data, notes Avivah Litan, a vice president at Gartner.
"They're not out for financial gain. They're just angry people. This attack was socially and politically motivated," Litan said. "Otherwise, they would have called privately and asked for money. We see that all the time. This is someone who was probably personally damaged by the site. It's a personal vendetta."
She speculated that the attacker may have been the scorned spouse of an Ashley Madison customer.
The incident sends another message besides the one the attacker intended, Litan said. Small businesses and startups that "just don't care that much about security" must change their attitudes, because a breach can occur for any reason, she said.
Thus, any company that disposes of sensitive data must be extremely diligent about how it does so and must also be careful about the promises it makes to its customers, said Thad Peterson, a senior analyst with the Aite Group.
"We all know that hard deletes don't remove data from a hard drive. The data is potentially still there," Peterson said.
The nature of the site meant that the data it held was especially sensitive, in that it could cause massive personal problems were it to leak out. However, any personal data (such as health care records) could be considered damaging or embarrassing if exposed to the public.
Even so, privacy consultant Liz McIntyre dubbed Ashley Madison as "a blackmail magnet" with "life-wrecking potential."
When working with large companies on privacy policies, she said a clear rule is to say that no company can guarantee "that other people aren't going to be able to get in there," McIntyre said. "Anyone offering that kind of (data-deletion) promise when they're collecting this kind of sensitive data, that is very difficult to support."