Big names feel the power of hackers as corporate hotshots go down

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.stuff.co.nz/technology/digital-living/71590101/big-names-feel-the-power-of-hackers-as-corporate-hotshots-go-down

Infidelity website Ashley Madison split with chief executive Noel Biderman,
after hackers revealed the company that encouraged people to have illicit
affairs wasn't very good at keeping its own customers' secrets.

Biderman is the latest in a string of high-profile corporate leaders to
lose their jobs amid the fallout of embarrassing cyberattacks - joining the
likes of former Sony Pictures Entertainment co-chair Amy Pascal in February
and former Target chief executive Gregg Steinhafel last year.The breaches
highlight how hackers not only can blow through a firm's security, the
modern foundation of consumer trust, but also threaten enterprises built on
discretion - and abruptly end high-powered careers.

Biderman was less known than the other corporate figures, and his company
was much smaller. But his downfall has attracted almost as much media
attention because of the audacious claims he had made about the benefits of
extramarital affairs - as well as the salacious details that spilled out of
the hack.

Leaked e-mails appear to show that Biderman himself pursued affairs -
something he had denied. The hack also exposed the names, addresses or
sexual preferences of 37 million accounts, and it is possible to search the
hackers' database for registrations belonging to friends, co-workers,
members of Congress or Hollywood celebrities who potentially put their
marriages in the hands of a company they hardly knew.

Many analysts and cybersecurity experts expressed doubts that Ashley
Madison would survive the hack. They agreed that Biderman had to go.

"We're talking about breaches that can put a business completely under,"
said Tyler Shields, a senior security analyst at Forrester Research. "The
boards have recognised the risk that comes with a major record-compromising
security breach - and when it's elevated to the board level, the ultimate
responsibility falls on the CEO."

The prospect of a chief executive losing his or her job over a cyberattack
barely registered as a concern a few years ago. But that changed after
hackers exposed vulnerabilities at a series of prominent corporations,
including Home Depot, Target, Sony Pictures, eBay and the health insurance
giant Anthem.

Some companies moved swiftly to hire technology specialists to defend their
corporate secrets from spying digital eyes.

Salaries for executive technology positions have been soaring. Chief
information officers, for instance, are now paid between US$157,000 and
US$262,500 a year, according to a recent survey by Robert Half
Technologies. That's about a 40 per cent rise from five years ago - an
increase greater than what chief executives or chief financial officers
experienced, the firm said. The unemployment rate of people who identify
themselves as CIOs is 1.7 per cent.

Toronto-based Avid Life Media, Ashley Madison's parent company, did not
cite a specific reason for Biderman's departure.

"This change is in the best interest of the company and allows us to
continue to provide support to our members and dedicated employees. We are
steadfast in our commitment to our customer base," a company statement
said. "Until the appointment of a new CEO, the company will be led by the
existing senior management team."

Biderman did not respond to multiple requests for comment through e-mail or
through messages left on his cellphone and the phone listed for his home in
Toronto.

As chief executive, Biderman had zealously promoted and defended his
business since it was launched in 2001.

In an interview with last year, Biderman explained Ashley Madison's global
reach. Infidelity, he said, is universal.

"You get married, and after a period of time, your sexual attraction to
your partner seems to wane," he said. "Both genders do it, even where it is
prohibited by law."

Biderman, who is married and has denied ever having an affair, argued that
cheating can be good for society - as long as the trysts stay under wraps.

As it turned out, his customers' secrets weren't safe with Ashley Madison.
Neither, apparently, were his. The hack exposed e-mails between Biderman
and several women in Toronto who sent him sexually explicit messages and
arranged to meet him in hotels.

A similar, if less seedy, embarrassment faced Pascal in the wake of the
Sony cyberattack - which revealed racially insensitive e-mails in which she
joked about President Obama's race and his movie preferences. Pascal
apologized for the e-mails, but they were thought by many to have
contributed to her downfall at the studio.

Executives are not the only ones who suffer in the wake of these breaches.
Among the Ashley Madison account holders who were outed in apparent quests
for infidelity were the viral Christian video blogger Sam Rader and former
family values lobbyist Josh Duggar.

Ashley Madison is among several relationship sites that hold immensely
personal data. Yet many of these companies have been criticised by
researchers for lax cybersecurity.

Dating sites Plenty of Fish and eHarmony have been breached in the past,
although the fallout paled in comparison with the Ashley Madison attack. In
May, the data for more than 3 million users of the hookup-oriented Adult
FriendFinder site leaked online after a cyberattack, exposing users' sexual
preferences and fetishes.

Plenty of Fish, eHarmony and Adult FriendFinder did not respond to requests
for comment.

Online dating sites can make juicy targets for hackers seeking not only
financial data such as credit card numbers, but also material for
blackmail, according to Adam Kujawa, head of malware intelligence at the
cybersecurity firm Malwarebytes Labs. The company recently reported that
online advertisements on Plenty of Fish were hijacked to spread malware.
"It's likely that the attackers were going after users of that site on
purpose," Kujawa said.

Researchers also have reported security flaws in dating sites Match.com and
OkCupid and the mobile app Tinder, which belong to a subsidiary of IAC.
Those issues have been resolved.

"Our users trust us with the most importance search of their life, for
romance - and we take that very seriously," said Sam Yagan, chief executive
of the Match Group.

The Match Group hasn't implemented new security features in the wake of the
Ashley Madison breach, he said, but his company has been extra vigilant in
reviewing current policies. "If someone breaks into the house next door,
you double-check your locks."

He added, "Ultimately the CEO is accountable for everything - whether it's
a security breach or anything else that happens to a company."

Forcing senior executives to step down after major security failures may
scare others into investing more heavily in digital security, said Shields,
the security analyst at Forrester Research.

"For years, it's been a struggle for security experts to get the resources
and budget they need," he said. "At the end of the day, everyone is driven
by incentives - even negative ones."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!