Ashley Madison, a website that facilitates extramarital affairs for married people, suffered an epic data breach over the weekend, with hackers threatening to release the personal information of its tens of millions of users.
According to security blog Krebs on Security, which broke the story, the hackers, going by the name "The Impact Team," don't want money. Instead, they are morally opposed to the site's mission, and demanded that its Toronto-based parent company Avid Life Media take Ashley Madison and "sugar daddy" dating site Established Men offline.
What should you do when a hacker wants to destroy your company, and you have unwittingly destroyed your customers' trust? Inc. spoke with Patrick Peterson, co-founder of security firm Agari, to find out what leaders need to do in this situation.
Prepare for Armageddon.
Peterson describes the Ashley Madison data breach as "Armageddon"--especially for a site that operates on the anonymity and discretion of its users. "I have never seen this scenario before where the criminals say, 'Go out of business, or else,'" he says, adding that it could set a significant precedent for future attacks.
Your best defense, of course, is to prepare for an attack before it happens. Start by pinpointing your company's most valuable data, and encrypt all of it. Then, you need to employ a serious security strategy to protect your IT infrastructure. After these protocols are in place, go over your technical and legal response, and do dry runs with your PR team.
Take an inventory.
When the breach occurs, you need to know exactly what data was swiped. "The first thing you have to do is to figure out what the criminals have and if it is encrypted or not," Peterson says. "We have seen many cases, like Target, where it took weeks for them to figure out what the criminals took and if the data is valuable to them."
He says a small, inexperienced crew can pull off basic hacking of non-sensitive information and demand $10,000 to return it. But if you know all they have is public info, then you don't have to waste your time and money. Find out what the hackers have and how well it's protected, and use that knowledge to guide your response.
Call the cops.
In a statement, Ashley Madison said it has been working with authorities to investigate the act of "cyber-terrorism." Peterson says that this is an important move---whether or not you decide to pay off the hackers or ultimately press charges, "you want to open up that connection right away," he says. "Even if they don't come in guns-a-blazing, they could be a critical resource."
You must inform your customers and the public about what happened as soon as possible. "You can control the narrative, or the criminals can control the narrative," he says. "The companies that are up front and transparent right away garner a lot of good will with their customers. At the end, people care less about the facts than about a lack of faith and trust." Peterson adds that people will treat whatever you say with skepticism, so it's best to get out there quickly and aggressively. "It's a business issue and your customers deserve to know," he says.