3
could also include sensitive information, such as credit card numbers, and health
information, such as prescriptions. This data has a lot of value to people on the black
market because it helps with identify theft. When breached data includes unencrypted
credit card numbers, it can be used to make online purchases, leaving the owner of
that data with a financial loss. These risks are very worrying, and as well as just being
inconvenient, the result of some of these data breaches can have a genuine human impact.
A prime example of this was the Ashley Madison data breach in 2015. Ashley
Madison is a dating website for people looking to have extramarital affairs. In 2015,
a hacking group called the Impact Team stole the site members’ personal data. The
Impact Group threatened to release the members’ personal information if the website
was not immediately shut down. Ashley Madison didn’t comply with this request, and
on August 18, 2015, the group leaked more than 25GB of the site members’ data onto
the Internet.
Setting aside the nature of this website, imagine if you were a site member having
extramarital affairs. How would you feel? No doubt, very nervous that your partner
would find out. Shortly after the leak of this data, many Internet sites appeared to let you
publicly search this information for someone’s name or email address. This enabled
suspicious wives, husbands, or partners to search for information. You can only imagine
the fallout from this, as many people’s relationships broke down and divorces were filed.
Many celebrities and government officials were also exposed, which had an impact on
their careers. Not only does being exposed like this affect the people involved directly,
but imagine the hurt it can also cause families and children. Sadly, there were even a few
suicides reported due to this data breach.
The reason I mention the Ashley Madison data breach is to explicitly highlight
the human consequences that a data breach can cause. I am not only talking about
stolen money from a credit card, or someone’s identity impersonated to apply for
credit, although these are very serious in their own right, I am talking about actual
consequences to people’s lives and families. No matter what your personal opinion is
about a website like this, the people that signed up for the service should expect that the
company would look after their data and assume that the data would be kept private.
In other words, it is the company’s responsibility to look after private and personally
identifiable information correctly.
Securely looking after personal data is a difficult problem to solve, and it can be an
expensive problem for companies to deal with secure storage of data. Unfortunately,
there is still an attitude with some companies that they are too small to be attacked,
Chapter 1 What are Data BreaChes?