Email Extortion Aimed at Ashley Madison Users

The hack of Ashley Madison, the dating website for married people who want affairs, resulted in data for its 37m users being dumped online. Now blackmailers are reportedly targeting the email addresses, sending them demands for bitcoins. Victims are threatened with the prospect that their “significant other” will be informed of the Ashley Madison data unless the money is transferred by a deadline. Security experts are also warning that compromised email addresses will also be used to bombard victims with phishing attacks and malware.

Toronto Police say that two unconfirmed suicides may have been prompted by the leak. Avid Life Media, the company which runs the Ashley Madison website, is based in Toronto. One interesting innovation by the police is that they have set up a dedicated Twitter account and hashtag for the case, allowing people an alternative method of sending them tips about the culprits.

Two Canadian law firms have instigated a massive class action lawsuit on behalf of affected Canadian users. The press release from the lawyers highlights that many customers paid additional fees to have their personal data removed, only for it to be subsequently compromised by the hackers.

Though Ashley Madison customers have particular reasons to protect their privacy, the wider message is that poor security around personal data can have consequences which cannot be fixed with money or bland corporate apologies. All sorts of businesses have been greedily harvesting email addresses for years, but do they have the wisdom to recognize that old and little used email addresses may be a greater liability than an asset? We are reaching a point where spammers might as well as possess the modern equivalent of a phone directory, listing everybody’s email address. Combining this data with other personal information just increases the potential harm. And because email addresses often double as usernames, they make it easier for criminals to hack into other online services.

The repeated degradation of personal data is also degrading our freedom to use electronic communications for all sorts of activities that require security. Email has changed the world, but repeated abuse of email may eventually push people into adopting alternative forms of communication, including the message services preferred by Google and Facebook… and do we really want even more of the world’s communication coming under their control? Telcos need to lead by example and encourage the push towards two-factor authentication for many more online services. And customers need to ask themselves what kind of a deal they accept, if they hand over sensitive information to firms but have no evidence that the firm handles their data in the way promised.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.