Ashley Madison CEO Loses His JobExit Signifies Top Leader's Accountability for Data Security
(This story has been updated.)
The departure of Noel Biderman as CEO of Avid Life Media, parent company of the infidelity website Ashley Madison, represents a growing recognition of corporate executives' responsibility for data security.
Avid Life Media, in a statement issued Aug. 28, says Biderman and the company mutually agreed that he immediately step down in the wake of a hack attack and subsequent massive data leaks.
"This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees," the statement says. "We are steadfast in our commitment to our customer base."
The Toronto-based company says senior managers will lead the company until a new CEO is named.
Nascent Trend: Removing CEO
Biderman's departure continues a relatively nascent trend of the top executive taking responsibility for a data breach that has significant consequences on the corporate bottom line. Retailer Target's CEO, Gregg Steinhafel, stepped down in 2014 after a massive data breach (see Breach Aftermath: Target CEO Steps Down). In 2013, hackers attacked Target's payment system, exposing information regarding some 40 million payment cards. Other top leaders jettisoned after major breaches include Amy Pascal as co-chairman of Sony Pictures Entertainment (see and Katherine Archuleta as director of the U.S. Office of Personnel Management (see ).
Enterprises that dismiss their top leaders after a data breach are attempting to change the enterprise's culture to facilitate good data security governance, says attorney Ron Raether of Faruki Ireland & Cox. "If CEOs lack vision with respect to cybersecurity, and they've demonstrated that and made poor decisions in the past, how can a board of directors be confident that a CEO is going to make better decision going forward?" Raether asks.
David Holtzman, vice president of compliance at information security and privacy consultancy CynergisTek, says CEOs and boards of directors should ensure their companies have the appropriate data security policies implemented and furnish sufficient funding to acquire technology and personnel to secure IT. "CEOs should be asking if cybersecurity has been given the appropriate priority and resources, are the company's third party vendors also securing their valuable information assets and is the effectiveness of the company's information security program being regularly evaluated and tested."
Eric Chiu, a former venture capitalist who's now president of HyTrust, a cloud control company, says data breaches could result in a huge cost to organizations, including loss of trust, brand damage, lawsuits and business impact. "Understanding and placing a high importance on security will be a key requirement moving forward for any executive in the connected world that we live in," he says.
The news of Biderman's departure comes days after Toronto police announced Ashley Madison is offering a $500,000 Canadian (U.S. $380,000) reward for information relating to the hacker or hacking group behind its data breach (see Ashley Madison: $500k Reward for Hacker). Police announced that the U.S. Department of Homeland Security and FBI have also launched investigations.
Data leaked from the Ashley Madison breach reportedly includes details of more than 30 million customers, including some who used email addresses tied to corporate accounts as well as official government and military accounts in the United States, Canada the United Kingdom and beyond.
Despite the damage to its reputation and service, Avid Life Media says it will continue its business as a site where married individuals can hook up with others. "We are actively adjusting to the attack on our business and members' privacy by criminals," the statement says. "We will continue to provide access to our unique platforms for our worldwide members."
In recent days, the attacker or attackers - using the name "Impact Team" - have released three batches of stolen data containing personally identifiable information for many of the site's current and former users. Since the Impact Team first began issuing threats against Avid Life Media in July, the company has released multiple statements decrying the attack as a case of "cyber terrorism." But it apparently has yet to issue any breach notifications to any of its claimed 39 million customers.