A Unique Data Breach
It is rarely that a data breach occurs where there is public uncertainty as to the moral validity of the action in question. Traditionally, data breaches receive almost uniform disdain by the general public and informed commentators.
However, on occasion, data breaches occur which can result in varying public response, in particular if those breaches occur against a party which is unpopular or where the breach occurs in the self-declared form of 'hactivism'.
The Ashley Madison breach is a unique beast, however. On one level millions of personal records of living individuals were stolen, including a ream of sensitive personal data (specifically, sexuality), as well as financial records, all of which can have major implications on the individuals involved.
Of course, what makes this breach more contentious is the nature of the site itself. for those unfamiliar, ashleymadison.com is a site that promotes married people having affairs. Not your usual dating site, admittedly, but certainly a site which contains explosive personal data, should it ever have been breached.
The organisation which claimed responsibility for this breach, Impact Team, shortly after committing the breach demanded that the owners of the site take it down within a defined period of time. Having failed to agree to this, Impact Team then began publishing the 34 million records unto the darknet, wherein the general public could satisfy personal curiosity and search the names and details of all the people concerned.
Unsurprisingly, there has been a huge response online. Polls, commentaries and articles have popped up over the past number of days, and the clear indications are that the morality of this data breach has not followed the traditional trajectory of others which have preceded.
From a data protection perspective, however, we must set aide the morality questions, about the individual's actions. In other words the purpose of the data, outside of our sphere of definitions, such as excessive processing ET AL, should not be of any concern when we look at this issue.
Instead, what we should see is a very significant data breach, involving millions of records of sensitive personal data, and recognise the impact that this will have on Ashley Madison as a brand, and the individuals whose personal data has been compromised.
This case brings to mind the vital importance of impartiality which every Data Protection Officer should practice in their day to day role. It is always important to remember that your role is to uphold the data protection rights of the data subjects under your remit, and not to broaden that responsibility to others who are not within your sphere of responsibility. Clarity of purpose is a skill which enhances the decision making faculties of any Data Protection Officer.
Finally, it should be noted that suspicion on the data breach in question is currently pointing towards a third party. Irrespective of whether this turns out to be the case, we should always be mindful of the significant risks we take on by allowing third parties access to our data, and the need to ensure this is properly controlled and contained, to minimise risks as much as possible.