The hack of Ashley Madison, the dating website for married people who want affairs, resulted in data for its 37m users being dumped online. Now blackmailers are reportedly targeting the email addresses, sending them demands for bitcoins. Victims are threatened with the prospect that their “significant other” will be informed of the Ashley Madison data unless the money is transferred by a deadline. Security experts are also warning that compromised email addresses will also be used to bombard victims with phishing attacks and malware.
Toronto Police say that two unconfirmed suicides may have been prompted by the leak. Avid Life Media, the company which runs the Ashley Madison website, is based in Toronto. One interesting innovation by the police is that they have set up a dedicated Twitter account and hashtag for the case, allowing people an alternative method of sending them tips about the culprits.
Two Canadian law firms have instigated a massive class action lawsuit on behalf of affected Canadian users. The press release from the lawyers highlights that many customers paid additional fees to have their personal data removed, only for it to be subsequently compromised by the hackers.
Though Ashley Madison customers have particular reasons to protect their privacy, the wider message is that poor security around personal data can have consequences which cannot be fixed with money or bland corporate apologies. All sorts of businesses have been greedily harvesting email addresses for years, but do they have the wisdom to recognize that old and little used email addresses may be a greater liability than an asset? We are reaching a point where spammers might as well as possess the modern equivalent of a phone directory, listing everybody’s email address. Combining this data with other personal information just increases the potential harm. And because email addresses often double as usernames, they make it easier for criminals to hack into other online services.
The repeated degradation of personal data is also degrading our freedom to use electronic communications for all sorts of activities that require security. Email has changed the world, but repeated abuse of email may eventually push people into adopting alternative forms of communication, including the message services preferred by Google and Facebook… and do we really want even more of the world’s communication coming under their control? Telcos need to lead by example and encourage the push towards two-factor authentication for many more online services. And customers need to ask themselves what kind of a deal they accept, if they hand over sensitive information to firms but have no evidence that the firm handles their data in the way promised.