Would you Trust a Cheat? Ashley Madison’s Biggest Mistake was IDM
The CEO of a publicly listed eCommerce company told me yesterday that he had to sit his wife down and prepare her for the chance that his name may be released as part of a trove of names, that it was all in the name of research. Just harmless, need to know research. It made me realise how edge of the seat stuff this is and how many people in public positions must be sweating it out. Any release is going to cause a feeding frenzy amongst the media and maybe this is the one security event that is going to force boardroom executives to take responsibility for how their customer information is stored.
In case you have not read beyond the headlines, online extortionists are holding 37 million customer identities and profiles hostage unless AshleyMadison.com is taken offline. It is a lesson in human psychology when millions of people lay their trust in an adult service site based on discreet cheating.
So what happened?
Beyond the thin veneer of promises of anonymity, it looks like Ashley Madison’s identity management (IDM) was more teenager than grown-up. They linked identifying datasets and stored information they should not have been responsible for, outside of financial level security. It is comforting to know that this was an outlier right? Unfortunately, the simple fact of the matter is that most organisations are not experts in access management and keeping customer identity secure, and few outsource the important components to companies that adhere to the eCommerce standards set by PCI. Not just credit card information, but names, emails, addresses, profiles, history – this is the customer heart of a business and if you lose their trust, well, don’t expect them to move back home without a lot of expensive counseling.
In another highly publicised hacking event last year, JP Morgan Chase lost more than 70m CRM details because they had omitted to use a PCI DSS compliant identity management service and they were easily picked off. Oops. Even the banks themselves sometimes forget to invest in bank grade security. Now quite a lot of people have a 360 degree view of their customers. What this shows is the power and value in customer data besides financial information and unless boardrooms start looking beyond their IT departments for expert management, there will be more pain to go around.
Secure Identity Management & CRM
With the recent proliferation of cloud based identity management and CRM services, it is easy to become complacent. However, very few of these services are compliant to financial grade security and so it is going to be a roundabout of breaches over the coming years and it is going to get bigger. There is an amplifying kicker here too – social login and networks like Facebook linked to customer profiles. Not only will information about the customer be exposed, but also information about their friends and their extended social activities. It is not hard to imagine a world in which your most advocate customers and their friends, and the friends of their friends, turn against you en masse.
Unfortunately, at best, brands will lose their customer lists to competitors and be embarrassed, at worst, there will be no customers left.
In a single swipe, Ashley Madison’s $200m IPO payday looks like it is going to be much worse than a bad hair day.
What are your thoughts? Please feel free to share your thoughts on the importance of secure identity management solutions.