Case study: Ashley Madison

In

$2$

$0$

$1$

$5$

$,$

$$Ashley Madison, a global social media platform facilitating extramarital affairs, experienced two data breaches, where hackers threatened to leak the personal account details of

$3$

$3$

$$million users to the public

$($

Hern & Gibbs,

$2$

$0$

$1$

$5$

$)$

$.$

$$The group of hackers blackmailed users

$$

$$including members of the UK Defence Ministry

$$

$$demanding bitcoin in exchange for not exposing them

$($

Hern & Gibbs,

$2$

$0$

$1$

$5$

$)$

$.$

$$The data breach meant that millions of users who had joined the site thinking their affairs would be secret, were faced with having their personal lives exposed

$$

$$with consequences for their relationships and their careers.

Ashley Madison did not have a robust system of data

$-$

protection policies, despite boasting about its security standards. The platform should have identified risks, based on the privacy concerns of its customers and informed by the regulations that govern data protection in its countries of operation, such as the UK

$$

s Data Protection Act

$2$

$0$

$1$

$8$

$.$

imagine that it is

$2$

$0$

$1$

$4$

$($

before the

$2$

$0$

$1$

$5$

$$data breach

$)$

$$and you are a compliance consultant for Ashley Madison. You have been asked to identify risks that could impact the organisation.

The GDPR

$,$

$$the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by:

$($

a

$)$

$$Requiring personal data to be processed lawfully and fairly, on the basis of the data subject

$$

s consent or another specified basis;

$($

b

$)$

$$Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified; and

$($

c

$)$

$$Conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

$2$

$)$

$$When carrying out functions under the GDPR

$,$

$$the applied GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.