The leaked Ashley Madison data on thousands of government and military workers are likely to create troubling cybersecurity and national security concerns for Washington, security experts said Wednesday.
Foreign intelligence services and digital crime rings are probably “digging through” the mammoth database of the more than 36 million people who registered for the extramarital dating site Ashley Madison, said Tom Kellermann, chief cybersecurity officer at security firm Trend Micro.
{mosads}The information in these profiles could lead to extortion and highly targeted cyberattacks, security specialists explained. For government and military workers, that might put sensitive projects at risk, expose mid-level officials to blackmail and help foreign adversaries flesh out intelligence reports.
“How much does that jeopardize their work, mission, national security?” Kellermann wondered.
According to researchers and reports, roughly 10,000 of the exposed emails seem to be genuine government and military accounts, ending in “.gov” or “.mil.”
Initially, 15,000 compromised emails appeared to be tied to federal employees, but researchers have since culled some obviously fake or nonexistent accounts. Ashley Madison did not verify emails when users signed up.
In many cases, these emails are combined with full names, phone numbers, addresses, and typical dating profile information, possibly revealing personal sexual proclivities.
Some experts compared the Ashley Madison incident to the recent data breach at the Office of Personnel Management (OPM).
Suspected Chinese hackers infiltrated two databases at the agency, including one that contained exhaustive security clearance forms. The deeply personal forms included details on past drug and alcohol abuse or extramarital affairs that even close relatives and friends did not know about.
It’s believed Beijing officials wanted the information as part of an ongoing espionage campaign to create a thorough database on U.S. government workers that could be used to stage future cyberattacks or even to recruit informants.
The leaked Ashley Madison information could be used for similar intelligence gathering missions, experts believe.
“The more information that’s out there about people in sensitive positions, the more you can fill out a complete dossier on them,” said Michael McNerney, a former cybersecurity policy advisor for the secretary of Defense and a Truman National Security fellow.
Some even floated the idea that foreign governments could blackmail U.S. officials with the Ashley Madison data, threatening to tell a spouse about their partner’s membership at the site.
“It’s like having pictures,” said Carl Herberger, vice president of security solutions at network security firm Radware. “It’s the modern day equivalent of having pictures.”
But these same people noted that unlike the OPM incident, these “pictures” are now public. Spouses can browse to any number of websites that popped up Wednesday to see if their significant other’s email is included in the data dump, seriously reducing the data’s blackmail or extortion value.
Regardless, Kellermann believes the Ashley Madison database is crucial reconnaissance for digital thieves or cyber spies staging future attacks on the government.
For instance, the exposed phone numbers could allow digital adversaries to plant malware on a cellphone through a nefarious text message, Kellermann explained.
A hacker could then “tendril form that device,” he said, “into whatever network trusts you.”
If that trusting network is part of a government system, it would give the digital intruder a valuable foothold.
“It’s valuable for foreign intelligence services and it’s valuable for cyber criminals,” Kellermann said.
The government itself has yet to weigh in.
“We’ve just seen press reports on this, so way too premature,” State Department spokesman John Kirby told reporters in a Wednesday briefing.