One of the most surprising takeaways from the post-breach dump of online dating site Ashley Madison's subscriber information is the number of users who apparently signed up using their work email addresses.
Assuming the email addresses are legitimate, then users are putting their employers at risk from extortionists or blackmailers, warns Stephen Coty, chief security evangelist at cloud security firm Alert Logic.
The employees' participation in an infidelity-focused dating site also potentially gives adversaries instant leverage against them, for example, by threatening to reveal their activities to their spouse or boss. In fact, security experts say they have already seen attempts to blackmail Ashley Madison users for bitcoins, and warn that at least one private-investigation firm has been spamming the email addresses in the data dump with a pitch for its services, warning them that the information "could ruin your life" (see Ashley Madison: Spam, Extortion Begins).
To help mitigate the risk that blackmail and extortion campaigns might target employees, employers' security teams should review every public data dump tied to recent breaches - not just the Ashley Madison hack - to see if their staff members are exposed, Coty says in an interview with Information Security Media Group (see audio link below photo).
He also recommends organizations finally get serious about enforcing email-related corporate security policies. "HR and corporate security policies have traditionally gone unenforced," he says. "I've been running security teams for well over a decade, and I can tell you consequences are usually just a slap on the wrist. Everybody kind of laughs about corporate security policies because no one really enforces them."
Coty, who reviewed the Aug. 19 Ashley Martin data dump that reportedly contained information on more than 30 million of the dating site's subscribers, says it contains more than 7,000 Army.mil email addresses, plus more than 125 official U.K. government email addresses, 150 emails that trace to Shell.com, 190 from Wellsfargo.com, as well as several dozen Whitehouse.gov emails and 13 Starbucks.com email users. (Since then, two more data dumps have come to light, but to date it is not clear that they contain any additional customer information.)
In this interview, Coty also reviews:
- Proactive steps that every security team should be taking in the wake of the Ashley Madison data dumps;
- The need for organizations to monitor and enforce all of their security policies;
- Techniques that the Ashley Madison hackers - called "Impact Team" - might have used to hack the dating site.
Coty, chief security evangelist at Alert Logic, is a member of Information Systems Security Association, Infragard and the High Technology Crime Investigation Association. Before joining Alert Logic, he was the manager of cybersecurity for Rackspace Hosting and also worked at Wells Fargo Bank, Applied Materials, Stanford Medical Center and The Netigy Corp.