On July 20th, CBC reported that a group of hackers announced that they had stolen 37 million records from AshleyMadison.com, an extramarital dating web service. While the unauthorized access and theft of data is nothing new (the U.S. government recently announced that over 21 million personnel records had been stolen by hackers), what is noteworthy in this incident is that, in addition to data from active users, data of inactive accounts, which had supposedly been deleted, was also apparently stolen.
Given the private nature of the information on the website, AshleyMadison.com offered users the option of having all information related to their user profile deleted for $19.99 when they close their account. According to the hackers, this netted the web service over $1.7 million dollars. The hacker’s allege, however, that the web service took the money, but did not delete the data. The web service denies this, saying “The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes.” It is unclear if the deletion service also removes a user’s credit card and contact information from the site.
Whether the data was deleted or not, this is just the latest example of information thought to be long gone turning up and causing pain. When Target was hacked in 2013, along with credit card information, the hackers stole customer data that was 10 years old that, although no longer needed by the company, had never been deleted.
Redundant, old and transient (ROT) information is everywhere, taking up space, and adding unnecessary risk. It’s time to identify and clean up the ROT before the ROT causes your house to collapse.