Blackmail rising from Ashley Madison breach

Cyber criminals, always adaptable, are still attacking enterprises. But when the opportunities arise, they are getting personal as well

Cybercriminals are maddeningly adaptable.

If a Dark Web illicit marketplace gets shut down, others spring up almost immediately to take its place. If credit cards get tougher to hack, there is always spear phishing, poorly protected electronic health records or the unending variety of devices that make up the Internet of Things (IoT), most of which have little to no security built in.

All of which offer opportunities for blackmail.

Not that the concept is new. But criminal threats demanding ransoms have tended to lean more toward extortion than blackmail. As in: “Your computer is locked, and if you ever want access to your files again, here’s where to send $1,000 in Bitcoin.” Or: “We have penetrated your network, and unless you pay us, or do what we want you to do (a la the Sony hack, where the demand was to cancel the release of a movie deemed derogatory to North Korea’s Supreme Leader), we will expose not only business information, but the personal information of your employees.”

More recently, with the hack of Ashley Madison, the adultery website, which led to exposure of everything from personal information to nude pictures and sexual fantasies of 37 million users, some of the fallout has included offers to scrub the information – for a fee, of course. Or, threats to expose it, unless a “ransom” is paid.

In other words, it’s less about your business and more about you – information that could be embarrassing, socially damaging and/or cause major trouble in the most important relationships in your life.

yo delmar

Yo Delmar, vice president of GRC Solutions, MetricStream

Even if a marriage is already on the rocks, it could cause somebody trouble in divorce or custody battles. As J.J. Thompson, founder and chief executive of Rook Security put it to CNBC recently, “everything is leveragable by the right person who is looking for the right thing.”

Most security experts don’t see the Ashley Madison fallout as signaling a major trend toward personal blackmail. “Big, sweeping trends take time to develop,” said Eva Velasquez, CEO and president of the Identity Theft Resource Center.

But it is a crime of opportunity that they say is growing, because those opportunities are expanding.

“With the rise of Internet of Things, more personal data will be collected in devices ranging from wearables like Apple watches and Fitbits, to personal medical devices,” said Yo Delmar, vice president of GRC Solutions at MetricStream.

Carl Herberger, vice president of Security Solutions at Radware, agrees. “The Internet has the unique ability to record deep secrets of nearly everyone, and nefarious actors need not look far before they stumble upon some data that one might pay to keep from being revealed,” he said.

carl herberger

Carl Herberger, vice president of Security Solutions, Radware

It can start with a breach of personal information that, initially, has nothing to do with an embarrassing website like Ashley Madison, according to Rebecca Herold, CEO of The Privacy Professor.

Using that information, criminals can “create accounts on unsavory sites and then extort money from their victims in exchange for not telling friends, family and employers about it,” she said. “Many speculate that this is the case for some of those who were discovered on the Ashley Madison site.”

Impact Team, the group that claimed responsibility for hacking Ashley Madison, professed to be doing so to damage or destroy a company it considered immoral. But Suni Munshani, CEO of Protegrity, noted that, “the consequences of a breach can go well beyond the intentions of the original hacker once the data are released.”

“One thing we know for sure it’s that criminals will always find new targets and new ways to exploit information about those targets for their own advantage,” he said.

Indeed, an estimated 15,000 U.S. government and military emails were on the Ashley Madison list of customers. Combine that with the breach discovered this past June of the federal Office of Personnel Management (OPM), which reportedly compromised the personal information of an estimated 21 million current and former federal employees, and the blackmail possibilities are enormous.

suni munshani

Suni Munshani, CEO, Protegrity

That kind of “rich data,” Munshani said, means, “the personal and professional blackmail opportunities against individuals whose data were included in both incidents, as well as the organizations they work for, increases exponentially.”

It is hard to know how pervasive cyber blackmail is, experts say, because it doesn’t always get reported. “It’s not the kind of thing individuals publicize,” Delmar said.

Munshani agreed. “Successful blackmailing – when companies meet the demands of the blackmailers – flies under the radar of public exposure,” he said.

But there is general agreement that it is a growth industry for cyber criminals.

As usual, there is no way to guarantee 100% protection from such crime – the well-established cliché is that there are two types of organizations - those that know they have been breached, and those that have, but don’t know it. Still, organizations can make it less likely that they will be damaged from a breach.

Munshani said one way to do that is to protect the data with limited access and strong encryption, so that when hackers inevitably breach firewalls and other defenses, “all they would see is meaningless gobbledygook.”

Delmar had a similar message, noting that, “good security hygiene” includes, “encrypt the data, control access and monitor for exfiltration attempts.

The general advice is a reminder that nothing online is truly secure, no matter how dedicated to security an organization is.

Anything you want secret should not be in digital form,” Velasquez said. “People need to realize that the notion that they can entrust a company with their information is not reality.

“That’s their (online companies’) goal, and most of them have processes to make those best efforts. But hackers only have to be right once,” she said.

“So, know that when you conduct business online, it can be compromised. And know what the consequences are.”

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCNBCCSOLeaderRadwareSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place