Ashley Madison Gets Hacked -- How Other Companies Can Avoid The Same Fate

Over 30 million users of Ashley Madison have had their information leaked after the online dating site was hit by a cyberattack. Given the nature of the site’s business, its data breach has been widely reported on, but how does it compare to some of the biggest corporate data breaches in history and how can other companies prevent it from happening to them?

A full transcript follows the video.

Sean O'Reilly: Be careful opening your emails, on this tech edition of Industry Focus.

Greetings, Fools! I am Sean O'Reilly joining you here from Fool headquarters in beautiful Alexandria, Virginia. Today is a tech edition on Industry Focus and I'm joined today by the incomparable Dylan Lewis. How are you today, sir?

Dylan Lewis: Good. I think my data's safe. That's good.

O'Reilly: Yeah. Be careful.

Lewis: It's a crazy world we're living in.

O'Reilly: If you haven't figured it out we're talking about cyber security today. It seems to me, just glancing at the news on a daily basis, the army, Ashley Madison, Sony (SONY -0.71%), Hillary Clinton has actually avoided it; everyone is getting hacked. What's going on?

Lewis: Our lead in for today's show is something we've wanted to talk about for a while. It's the recent hack of Ashley Madison. To bring people up to speed, attackers who call themselves the Impact Team...

O'Reilly: Great name.

Lewis: Great name. That could be an '80s action show. "The Impact Team".

O'Reilly: What was the acronym for the people who hacked Sony? Wasn't it something funny, too? They made fun of it on SNL.

Lewis: I forget.

O'Reilly: Oh, it was the RNC. They called themselves the RNC.

Lewis: Yeah. That's awesome. The Impact Team has posted several files from Ashley Madison's database. Ashley Madison is the popular website for people looking for affairs, generally speaking.

O'Reilly: 37 million names though?

Lewis: Yeah, it's crazy.

O'Reilly: That's a lot.

Lewis: The data has run the spectrum from customer data. So, emails, payment records, to emails from high level executives at the company.

O'Reilly: Nice.

Lewis: You get that tinge of what you'd expect from a retail hack and what you saw with the Sony hack a couple months ago.

O'Reilly: This is a lot more than the Target (TGT 1.03%) stuff, though. The Target one just got credit card numbers. How big is this?

Lewis: The numbers I've seen have been about 32 million.

O'Reilly: Wow.

Lewis: As most hacks go, it's actually really not that bad. Statista put out the top 10 biggest hacks in terms of data breaches in recent years and Adobe topped the list with 152 million users exposed from their 2013 hack.

O'Reilly: Wow!

Lewis: Next on the list was eBay (EBAY 0.88%) in 2014 with 145 million. Some other big names were TJ Maxx in 2007 with 94 million, and more recently was Sony in 2011. In 2011 their PSN network got hacked for 77 million users.

O'Reilly: It seems like nobody is safe. Just the other day it was announced that even the IRS' hack was a few hundred thousand more people than they originally thought. This is social security numbers. That's not good.

Lewis: Yeah. From a corporate perspective this is a company's worst nightmare, especially if you're in the e-commerce space. It totally ruins customer confidence in your internal systems and your ability to keep data safe. I think something we're seeing with a lot of places in the e-commerce space is they're looking to minimize the amount of friction that users have in buying things.

You look at Amazon (AMZN -2.56%) and they're doing 1-click purchases. You can only do that stuff if you have secure data and people trust your systems. Otherwise they're not going to be willing to trust it. It's really concerning in that respect. It's a huge problem if you business totally relies on discretion like Ashley Madison.

O'Reilly: Is that company private?

Lewis: They're private.

O'Reilly: They're done, right?

Lewis: They are owned by Avid Life Media. Similar to IAC -- Interactive Court -- they own a couple businesses that are within the same realm. Avid Life Media tried to take the company public in Canada a couple years ago and then looked to do it again in London, England.

O'Reilly: That's not happening anymore.

Lewis: That's not happening. One of the reasons they cited for not taking the company public in Canada was that it seemed like people couldn't buy into the business. They were worried about the business prospects of a company that relies entirely on people wanting to have affairs and is a catalyst for people having affairs. That's a tricky business to be in.

O'Reilly: Naturally.

Lewis: I think they thought they might find some comfort in going to Europe where attitudes are a bit more progressive.

O'Reilly: You're expected to have them.

Lewis: Right?

O'Reilly: We hinted at this in the intro, but you can't even safely open emails it seems.

Lewis: Something that these kinds of attacks subject users to is like a phishing scam. Once you have some information and an email address from someone, if you know they shop at a certain store, or they use a certain bank or something, you can email them masquerading as that entity and attempt to get personal data from them.

It's a lot easier to make an introduction when you know a little bit of background on somebody. It's kind of crazy how susceptible it makes them to that. One of the other things I think people don't realize with these hack is that a lot of people use the same log-ins for multiple sites. If you're able to get login credentials from a hack there's a decent change they're using that login for their Amazon account, or their bank account, or their brokerage account. There are a bunch of different things they'll use it for.

O'Reilly: Dylan, are all your passwords "password"?

Lewis: No comment.

O'Reilly: I want to talk about the companies that are trying to solve these issues, but before we move on, I want to make everybody aware of a very special offer for all of Industry Focus listeners. If you found this discussion informative, and you're looking for more Foolish stock ideas, Stock Advisor may be the service for you. It is our flagship newsletter started more than 10 years ago by Motley Fool co-founders Tom and David Gardner.

We're offering the lowest price out there for all of our Industry Focus listeners. It is $129 for a two year subscription to Stock Advisor. You will get two stock recommendations every month with insight from our team of analysts. Just go to focus.fool.com to take advantage of that deal. Once again that is focus.fool.com.

I'm here again with Dylan Lewis. We're talking about cyber security, don't open your emails; all that fun stuff. There are a lot of companies that are trying to solve this. We looked around the industry before we came in here and a lot of them are private, a lot of them are owned by the big corporations like Cisco (CSCO 0.44%); but one company that seems to be the market leader is FireEye (MNDT). Who are they? What's up with the name?

Lewis: They're a cyber-security firm and I think there are two easy ways to look at their business. They do monitoring and testing, which is machine based and real time cyber security protection.

O'Reilly: They'll test your system?

Lewis: Yes, they're looking for vulnerability against some of the more sophisticated attacks. I can get into that in a bit. Then they're looking for postmortems. They're also forensic specialists figuring out what happened to companies after attacks.

O'Reilly: There's a show in this. CSI: FireEye.

Lewis: CSI: FireEye. It really rolls off the tongue. Some of the stuff they specialize in related to their ongoing monitoring and things they check for is advanced persistent threats. These are the more sophisticated attacks which are stealthy and continuous computer hacking processes. They're looking at targeting a specific entity with these. For instance a company, or government agency.

Some of the more specific ones within that niche is something called spear phishing.

O'Reilly: Isn't that what they do in the Arctic?

Lewis: On the rivers. Phishing itself if masquerading as somebody else in order to gain information, like we talked about in the first segment. Spear phishing is similar in that it attempts to acquire sensitive information, but you're targeting a specific entity with it. Rather than having it be a broader, scattered shot type of thing you're looking at going after the login information for a specific company, or individual so you can work your way in.

People use this as a back door to get into security systems that they might otherwise have trouble getting access to. Another thing they're good at is zero a day threats. These are cyber-attacks against software vulnerabilities or flaws that are unknown and have no known patch, or fix.

O'Reilly: They're trying to learn the unknowable?

Lewis: The companies don't know that they have these problems, or vulnerabilities. Since they don't know, they can't patch them.

O'Reilly: Okay. They're like "We want to make sure we've got all our ducks in a row. See what you can find."

Lewis: Yeah. For the layman I like to think of it as system testing. Almost forcing an issue until you find something.

O'Reilly: A lot of people in this building love FireEye. We've sent some analysts out there to visit the headquarters and they were stunned. How does FireEye do it?

Lewis: For their ongoing monitoring and real time analytics they run what they call a "suspicious software suite" in a virtual environment. They monitor that in real time and use that to check for vulnerabilities. This approach has helped FireEye discover 18 zero day attacks in the past two years. According to their website this is "many more than the op 10 security companies combined."

That may sound like a low number, but you think about the potential liability of even 1 attack. Those numbers start to stack up pretty quickly.

O'Reilly: They actually caught things before they happened.

Lewis: Yes. They're catching things before they happen. I think a testament to their products, there's a company PR release from April that says "The U.S. Department of Homeland Security has certified FireEye's multi-vector virtual execution engine and dynamic threat intelligence cloud platform under the Safety Act. Certification is the highest level of liability protection available under the Safety Act. Customers of the certified FireEye technologies now have protection under the Safety Act from lawsuits or claims alleging failure of the technologies to prevent, or mitigate in an act of cyber terrorism. FireEye is the only cyber security company with products, technologies, or services certified under the Safety Act."

O'Reilly: It sounds like the "M" word: monopoly.

Lewis: That's a big pat on the back and a huge stamp of approval.

O'Reilly: This sounds great. There has to be a catch.

Lewis: In a lot of ways they are the industry leader, and I think they're one of the more innovative companies in this space. I think one of the big issues when you look at a company like this is that you have to have the right appetite to invest with them.

O'Reilly: I took a peak at their numbers before we came down. Oh my gosh. That's a lot.

Lewis: We were joking before the show and I said "great revenue growth, it's a bottom line only a mother could love".

O'Reilly: For those of you that haven't ever seen FireEye's beautiful income statements, revenue 2012: $83 million. That doubles in 2013 to $161, more than doubles last year to $425 million in fiscal years 2014. They're losing money left and right though. They lost $35 million in 2012, $120 million in 2013; $443 million last year -- which is their revenue, surprisingly. What's going on here?

Lewis: Part of the business of tech is heavily investing in R&D and getting people to buy into that R&D. With this company we're seeing huge investments and huge allocations in their research and development and the sales staff.

O'Reilly: The first days of Microsoft (MSFT -1.27%) there was a bunch of R&D, paying programmers to put out DOS and then once they built that and they got everyone to buy in, they had this constant revenue stream. All they had to do is update it and get Windows. It almost seems like FireEye does a lot of consulting. That isn't consistent revenue that you just collect money for.

Lewis: Right. Like I talked about before, there's two different segments of their business. I think the most appealing thing as an investor, or companies that are looking at being a bit more cyber secure is their ongoing monitoring business. That prevents you from being in the news and having these massive liabilities and potential lawsuits from users.

I think that's really their bread and butter. They're forensics unit is great, but it's a lot better to prevent something than to know what happened after the fact.

O'Reilly: Right. Companies like Target, The U.S. Army; they just give FireEye $10 million a year and say "Protect us."

Lewis: To bring this discussion full circle and back to Ashley Madison a little bit, a similar company -- FriendFinder Networks -- operates in a similar space. It's adults looking for adults, or adult entertainment oriented sites. They were hacked in May and brought in FireEye to launch an investigation.

It's a similar kind of business, similar problem, same company came up.

O'Reilly: Unbelievable. That is a testament to their market leadership.

Lewis: Absolutely.

O'Reilly: Very good. Thanks for your thoughts, Dylan.

Lewis: Always a pleasure, Sean.

O'Reilly: Have a good one. If you are a loyal listener and have questions or comments we would love to hear from you. Just email us at [email protected]. Again, that's [email protected]. As always, people on this program may have interests in the stocks that they talk about, and the Motley Fool may have formal recommendations for or against those stocks. So, don't buy or sell anything based solely on what you hear on this program. For Dylan Lewis, I'm Sean O'Reilly. Thanks for listening, and Fool on!