A serious cyber threat

A user visits Ashley Madison's Korean web site in South Korea June 10. The breach was reported July 19.
A user visits Ashley Madison's Korean web site in South Korea June 10. The breach was reported July 19. AP

The alarm bells are getting louder. #SonyHack, #HackingTeam, #OPMHack and now #AshleyMadisonHack. In the space of a few months, four data breaches have punctured a media sphere that has become jaded to the idea of the loss of data. Why?

We were spellbound by the internal emails revealed by the #SonyHack, which has had lingering effects on Hollywood.

The #HackingTeam event opened a window into the world of international surveillance technology and cyberweaponry – underscoring how far governments around the world are willing to go to spy on citizens.

The #OPMHack was about the vast stores of data retained by the federal government. To paraphrase: “Why hack governments? Because that’s where the data is.”

That brings us to the most recent #AshleyMadisonHack. It lacks the business effects of the #SonyHack, the privacy angle of #HackingTeam and the scale of the #OPMHack. However it makes up for all of that in terms of sheer prurient interest.

As a website that facilitates illicit sexual liaisons, the data its hackers are threatening to disclose have crushed the company’s planned IPO and future and put fear into the hearts of cheating spouses and significant others across the country. The potential personal wreckage is profound.

This brings us back to the growing volume of those alarms. What do they tell us?

First, despite all of the rhetoric from organizations and government, the hacking problem is getting worse and organizations are not effectively mitigating the threat. The reports of the security measures in place in all four hacks reveal security was negligently neglected. We are not talking about falling short of best practices or even good practices; we are talking about implementation of worst practices like plain storage of weak passwords and unencrypted data storage.

Despite the rhetoric of cybersecurity, organizations continue to prove they are not serious stewards of user data – even when it threatens their capacity to function. Their seriousness will apparently rise only when penalties for breaches rise.

Second, there is the “#” factor. Hackers are not concealing their actions or word gets out. In the private sector, many organizations fear the effect of such a disclosure on public confidence and brand. Public Relations 101 is to make full disclosure early and often. Concealing the problem only exacerbates it. Legislation to mandate disclosure of breaches should advance in Congress.

Third, hackers are getting better not just at the hacking but also the strategy. They are identifying better targets. Like any predator, they are interested in the weaker, more vulnerable members of the herd. Unfortunately for users, most of the herd is lame.

Going one step further, increasingly we see the effects of hacking not in terms of specific stolen data records, but the destruction of relationships between people and organizations built with trust. This trust is not easily restored.

This is especially important in the #SonyHack, #HackingTeam and #AshleyMadisonHack. Unlike the #OPMHack, these hacks were especially damaging because they revealed private and even secret information shared by actors other than the data holder.

The #SonyHack rekindled Google’s war with the MPAA. The #HackingTeam revealed the deception practiced by states on their citizens. And the #AshleyMadisonHack, of course, threatens to disrupt marriages. In each of these cases, the hacked organization lacked a direct stake in the collateral damage wrought by the disclosure. The stakes were simply not high enough for them to take the threat seriously.

They ignored the alarm bells because they didn’t see their house burning. It remains to be seen how long it will take for them to feel the heat.

John Laprise, Ph.D., teaches and writes on cyberstrategy.