I have been mining the leaked data from the Ashley Madison breach and discovered that over 14,000 government officials’ information has been compromised.
With such diversity of individuals, whose information was compromised through the Ashley Madison hack, you have to wonder what the lasting impact of this breach can be. What are the implications to the companies these individuals work for? Will these individuals give in to blackmail to betray their employer, save their marriage or relationship? What can this data, plus the information from breaches like OPM, be used for to compromise our national security or trade secrets? These are all questions employers should be asking themselves.
People will always be a risk to any company’s security strategy. When I was a penetration tester, I always relied on other people to gain access into an environment. I would commonly drop USB drives in parking lots, relying on someone to pick it up and plug it into their workstation just to see, out of curiosity, what was on the drive. 9 out of 10 times this would always grant me access into the customer’s environment.
Now with this latest breach, we have an opportunity to use a similar tactic to show evidence of a individual’s infidelity to motivate them to give me the information that I want. Once I have this information, I can sell it on the underground to either a competitor or an overseas start-up for considerably more than I could ever get by simply blackmailing an individual.
Should employers start locking down their internet and mail services to work functions only? Should HR and Corporate Security policies be enforced with actual consequences? These are all challenges that corporate security teams have been dealing with for years. Should we now start empowering our security teams to do their jobs efficiently? In order to do that job efficiently, companies need to invest in the people, process and technologies to build a comprehensive and effective security strategy. This also means investing in a threat research and intelligence function that will mine for lost and stolen data to understand and combat the risk that our employees introduce into our environments.
This is a sample of data to give you the extent of what individuals that used corporate accounts for their Ashley Madison account profiles. I tried to randomly hit domains from different countries and different industries.
502839 .uk
134 gov.uk
7245 Army.mil
7015 .gov
13 starbucks.com
46 Whitehouse.gov
150 Shell.com
190 Wellsfargo.com
87 Stanford.edu
16 chs.net
89 aig.com