NEWS ANALYSIS: There appears to be a type of blindness among C-level executives in some companies that makes it impossible for them to anticipate the inevitable consequences of ignoring security.
Right now, it's not clear who breached the security of the marital infidelity site Ashley Madison
, although there's an international team of investigators looking in to it.
In the meantime, the list of members, including details of their dating preferences, has found its way to the open Internet, with results that are sad but not surprising.
According to press reports in The Huffington Post
and the Financial Times,
at least one American and two Canadian subscribers to the service have ended their own lives. A mayor in Alabama has resigned.
A reality television star has been found out, and some government agencies are investigating whether the military and government email addresses found in the Ashley Madison list are real and linked to current employees using the service.
The corporate response
is also predictable. The CEO of Avid Life Media, the parent company of Ashley Madison, has left the company, likely not of his own volition. "Noel Biderman, in mutual agreement with the company, is stepping down as Chief Executive Officer of Avid Life Media Inc. (ALM) and is no longer with the company," said a statement from the management team appearing on the company's Website on Aug. 28.
"Until the appointment of a new CEO, the company will be led by the existing senior management team. This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees. We are steadfast in our commitment to our customer base."
Unfortunately for the customer base of ALM, a wealth of information, including names, email addresses, credit card information and a range of other very personal data, has already been leaked. To make matters worse, because the company never verified the information of the people who signed up for the service, much of the data is either fake, or worse, it belongs to someone else who never visited the site.
This, in turn, means that there are people who have their names and email addresses turn up on the leaked Ashley Madison list but were never users of the service. They will be exposed for something they didn't do, and in those cases, the consequences will fall on them.
How they react will vary according to the individual, but it's conceivable that one or more of those people who killed themselves did so because they were singled out, and didn't think they had a way to prove what they didn't do.
Meanwhile, the management team of Ashley Madison is continuing to do business on their Websites, apparently free of any of the consequences that are being suffered by their customers, real or spurious.
Biderman, however, lost his job, and his reputation is tarnished. What's not clear is whether the clearly porous security at ALM was his fault or the fault of a board and management team that refused to invest in security.
One would presume that ALM will also suffer its own consequences as the lawsuits and damage claims pile up from customers whose trust was breached along with the company's network.
Perhaps then we can find out if there are penalties worse than losing a lawsuit in Canada for what is clearly gross negligence. Is there a way for senior executives and board members to experience a little jail time for gross negligence? Sadly, I suspect not.
Beyond that, we're left with questions. The first is what can be done to sufficiently punish business leaders who are so cavalier with their customers' privacy that some of them end their own days? In the United States, the Federal Trade Commission
can go after them. But what will happen to a Canadian business when the victims are located in 50 other countries remains to be seen.
The next question is whether there's a way to find out if your name appears on the Ashley Madison list. Security expert and researcher Troy Hunt
has created a free service
that can check to see if your name appears on the Ashley Madison list, along with information as to whether it has appeared in one of many other breaches.
However, because of the sensitive nature of the Ashley Madison data leaks, he will not show you anyone else's information. For that, you're going to have to find the list yourself.
Finally, there's the question of what can be done to make folks in the C-levels take network security seriously. Right now, their companies can be sued, and there are laws that make failure to protect some types of data a criminal offense, but what about the rest?
I realize that Ashley Madison customers aren't a sympathetic group, but there are many other sites that store personal information that can really hurt someone if it's exposed. Shouldn't there be protection for everyone?