bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

helpersCheckIsPostiesArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

moreOnThisArticles

urlAlias

commentCount

sponsorType

authorLocations

authors

paywallTypes

corrections

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

socialHeadline

headline

flag

firstTopic

glossary

flattenTypeIds

publishedDate

additionalInfoBoxes

images

image

relatedLinks

relatedNewsletters

__typename

createdDate

sponsor

factSheets

series

knowledgeQuestion

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

copyrighted

customTimezone

liveContents

James Griffiths

As the fallout from the major hack attacks on infidelity-dating site Ashley Madison and the US Office of Personnel Management continue, experts say we may need to reassess how much data is stored on users if it cannot be protected. 
More than 50 million people had personal and sensitive data exposed in the OPM and Ashley Madison hacks, which were discovered in April and July of this year, respectively.
READ MORE: Most adulterous area of Hong Kong revealed: Ashley Madison 'cheating map' shows surprising results
They came in the wake of major data breaches at Sony Pictures, late last year, and Target, which agreed in March to pay out US$10 million to those affected. 

"If you can't protect it, don't collect it," Richard Bejtlich, chief security strategist at US cybersecurity firm FireEye, told the South China Morning Post.
"We have to come to terms with the idea that no one really has the ability to keep a determined intruder out of your enterprise." 
Unless companies are willing to pay for expensive detection and response systems – that fight a sort of guerilla war against attackers within the system, with the intention of frustrating them enough that they seek another target – it is highly unlikely they won't someday be breached, Bejtlich said. 
"[In that case] reduce the amount of data you have, get rid of sensitive data if at all possible, so you don't have to carry around the burden of protecting it." 

David Shearer, chief executive of certification and security firm (ISC)², agreed. 
READ MORE: Third of Hong Kong apps vulnerable to hack attacks as watchdog calls for urgent security improvements
"If you're going to collect personally identifiable info on anyone and you don't have a high confidence of protecting it, then don't collect it," he said. 
As an investigation by the Post discovered, contained within the gigabytes of data released by the Ashley Madison hackers were home addresses, dates of birth, phone numbers, and even sexual preferences. 

Members of the cheating site have been blackmailed, with criminals threatening to expose their data if they don't wire them untraceable bitcoins. 
According to US officials, the hackers who breached the OPM may have made off with even more sensitive data, including security clearance information and social security numbers. 
"Companies tend to hold more information and personal data than they need," said Jack Chan, a security strategist with research firm Fortiguard Labs. 
Data may not even be being used, he said, just collected for future data mining or marketing purposes. 
However, he warned that "it may be harder for a company to find the incentive or justification to reduce the amount of held information than to strengthen its protective measures". 

Asked whether there was risk that repeated high-profile hack attacks like the Ashley Madison or Sony breaches could lead to people feeling hopeless about protecting their data, Shearer compared the problem to a disease that is difficult to find and treat. 
"Is there just more cancer, or do we just have more tools to find it?"
As detection methods improve, and more hacks are detected, "there's a potential people become desensitised to it," he said. 
However, the large scale fraud that could come from a hack on the scale of the OPM attack has yet to be felt, he said, and "when people start to feel it hitting them" they will demand better practices across the board. 
"They'll demand to do business with organisations that can give them some semblance that they're taking seriously the protection of their personal information." 


Companies must be willing to go to war against hackers to protect sensitive data, or stop collecting it: experts

Photo: Elhombredenegro

Photo: AP

Richard Bejtlich, chief security strategist at US cybersecurity firm FireEye, said determined intruders are nigh-on impossible to keep out. Photo: SCMP Pictures

David Shearer, chief executive of certification and security firm (ISC)², also believes companies that collect personal data on people owe them a duty of care. Photo: SCMP Pictures

Jeff Ashton, State Attorney for Orange and Osceola counties in central Florida, answers questions at a news conference on August 23 in Orlando after reports claimed he was a paid member of the Ashley Madison cheating website. Photo: AP

Tech

Enterprises