Fallout from the Ashley Madison breach is now more than just angry spouses.
Police say extortionists are targeting customers of the adultery website who had their personal details dumped onto the Internet, and a half-million-dollar bounty is now on the heads of the hackers who put the data out there.
At a press conference in Toronto on Monday, law enforcement officials confirmed instances of attempted extortion stemming from the breach of data from Ashley Madison, a dating site geared toward married adults looking to cheat. Officials also said they are investigating reports of two suicides that may be related.
“This ain’t fun and games anymore,” acting staff Superintendent Bryce Evans of the Toronto Police Services told reporters. “It is reality.”
Members of what they call The Impact Team said last month that they hacked Ashley Madison’s parent company, Ontario-based Avid Life Media, and would leak embarrassing user data unless the site was taken down. Gigabytes of stolen files surfaced online as promised last week, including financial transaction logs, corporate documents and personal data pertaining to more than 30 million customers.
“This hack is one of the largest data breaches in the world,” said Superintendent Evans.
Officials from Canada and the U.S. at the morning announcement said they were working with international law enforcement in pursuit of the hackers. Superintendent Evans declined to speak further on the reported suicides apart from saying they were under investigation.
Avid Life Media and authorities have appealed for help from hackers within the cybercommunity — those who operate in the shadows of the Web where large-scale policing is impossible.
On Monday, Avid said it would award $500,000 to anyone who provides information that leads to the identification, arrest and conviction of the person or persons responsible for the breach.
CEO Noel Biderman earlier said he thought the hack was executed in house, or at least was the work of someone who had been authorized to access the data at one time or another.
Superintendent Evans said authorities have quickly become aware of criminal scams against Ashley Madison customers. Websites claiming they will query the hacked database on behalf of curious customers are actually serving up malware, he said, and extortionists are reaching out to people named in the leak and offering to make the data disappear for a nominal fee.
“Consider how expensive a divorce lawyer is,” one blackmailer wrote in an email displayed by Superintendent Evans. “If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends.”
“Nobody is going to be able to erase that information,” the superintendent said.
Indeed, the information distributed from The Impact Team has made its way far and wide since the leaks started early last week.
Stu Sjouwerman, the CEO of Florida-based security firm KnowBe4, told The Washington Times that his company has been reviewing the cache and said it was as good as “gold in the hands of an attacker” because it’s rich in data and exploits emotions.
But coming on the heels of high-profile breaches such as those of Target and the federal Office of Personnel Management in recent months, the personal information discovered by hackers on Ashley Madison’s servers doesn’t necessarily present the same type of risk that would arise if Social Security numbers and credit card information were disclosed in the dump.
Superintendent Evans said authorities believe that only the last four digits of customers’ credit card numbers had been leaked on the Web, albeit alongside evidence of infidelity.
“From a financial standpoint, it’s not likely more dangerous, but the collateral damage is greater because we’re talking about extramarital affairs,” Bill Ho, the CEO of cybersecurity firm Biscom, told The Washington Times. “Beyond the strife from a spouse’s discovery, you can imagine additional factors like embarrassment those affected may feel if their employers or friends found them on the site.”
Michael Bruemmer, the vice president of Experian Data Breach Resolution, said that “while all data breaches are concerning, there is unique harm with this type of incident because of the reputational impact to both the company and its customers.”
Because “anonymity was a key part of their business model, the Ashley Madison breach has a larger business impact compared to the loss of a different type of information. From a customer perspective, some kind of personal or reputational harm is harder to repair than financial harm. There is no price you could put on a form of personal harm.”