The data breach affecting the notorious Ashley Madison dating site reveals the level of damage – both financial and reputational – that can be caused by cyber crime and underlines the importance of a proper breach response plan.
Operators with Ashley Madison – a service for married people wishing to cheat on their spouse – confirmed an “intrusion” into the site, but did not elaborate. Security expert Brian Krebs said a small percentage of user account data has been published online, however, and the hackers who claimed responsibility for the attack plan to post more until the website closes.
The information includes the real names and addresses of the site’s users, including those who pay $19 to “delete” their accounts.
Ashley Madison operates in more than 50 countries and has 37 million users. Owners Avid Life Media apologized for the attack and claimed to have secured the site.
“Any and all parties responsible for this act of cyber-terrorism will be held responsible,” the company said in a statement.
The attack comes just months after thousands of customer records from the casual dating site Adult Friend Finder were breached and made available online. It highlights not only the damage that cyber attacks can cause to commercial enterprises, but the particular reputational damage caused when hackers breach businesses that rely on assurances of customer security as part of their unique services.
According to a survey from American International Group, 85% of corporate risk managers, executives and IT security decision-makers in the US say they are more concerned about cyber risk and the reputational fallout it can cause than they are about any other risk.
And the impact of events that cause reputational risk is palpable. According to a Deloitte report, 41% of companies cthatexperienced a reputation-damaging event say loss of revenue was the most significant consequence. The same number of respondents cite loss of brand value as the biggest impact from the event, while 37% put regulatory investigation at the top of their list of ramifications.
Henry Ristuccia, partner with Deloitte & Touche LLP and Global Governance, Regulatory and Risk leader, DTTL, suggested this puts pressure on company executives to properly account for security and breach response plans – something insurance agents can supplement with a proper portfolio of cyber liability and reputational risk insurance.
“CIOs and CISOs should be prepared to succinctly explain their company’s cyber risk profile and the measures they’re taking to reduce risk," Ristuccia said.