The consequences of the Ashley Madison breach continue this week, with law enforcement inquiries and lawsuits starting to pile up for the website, which is known for promoting extramarital affairs, and for its parent company, Avid Life Media.
The incident offers important lessons for CIOs on how to deal with a massively public breach event.
First, try to find out who caused it. See if someone will turn in the culprit or culprits.
Toronto-based Avid Life Media has announced a reward of $500,000 Canadian (US $376,000) for information leading to the identification, arrest, and prosecution of the person or persons responsible for the breach.
If nothing else, it's a start.
Avid's statement also talked about the ongoing investigations.
"The 'Project Unicorn' law enforcement task force members that appeared in Toronto today, led by the Toronto Police Services (TPS), and accompanied by the U.S. Department of Homeland Security, the Ontario Provincial Police, the Royal Canadian Mounted Police, and the U.S. Federal Bureau of Investigation, have been actively investigating all aspects of this crime for more than a month," according to the company's Aug. 24 statement. "As TPS indicated at today's press event, the investigation is progressing in a 'positive direction,' but more help is needed from the outside."
Avid is following the damage control playbook here by publicly showing its efforts to minimize consequences of the breach. If the hackers are arrested and charged, no further disclosures will occur.
Avid also addressed customer concerns about financial information stolen from the site in a statement. "No current or past members' full credit card numbers were stolen from Avid Life Media. Any statements to the contrary are false. Avid Life Media has never stored members' full credit card numbers," according to the company's Aug. 19 statement.
Here, the company is trying to get upstream of user fears by denying reports from others that may be out there. Avoiding the perception of a problem is also crucial to an effective damage control strategy.
In a situation like this, some people will have their own opinions on it. Noted security guru John McAfee, who has had his fair share of controversial episodes, believes that the Ashley Madison hack was an inside job.
McAfee went a step further and said that it may have been a female employee, but his rationale is somewhat thin on that.
"How did I come to this conclusion? Very simply. I have spent my entire career in the analysis of cybersecurity breaches, and can recognize an inside job 100% of the time if given sufficient data -- and 40GB is more than sufficient," McAfee wrote in the International Business Times on Aug. 24. "I have also practiced social engineering since the word was first invented and I can very quickly identify gender if given enough emotionally charged words from an individual. The perpetrator's two manifestos provided that."
Interestingly, there have been no comments from Avid Life Media about McAfee's thoughts. That may mean that it is also using one of the basic damage control tactics: Keep an open mind.
By considering all possible scenarios, institutional biases that may blind you may be avoided in the pursuit of a resolution.