What the Ashley Madison hack could mean for national security

The release of information stolen from Ashley Madison, a site devoted to helping married individuals cheat on their spouses, could harm many people. But there is one group in particular — members of the military — that might suffer more than their civilian counterparts if they’re implicated by the data dump.
An estimated 32 million Ashley Madison users were affected by the company’s hacking. Their email addresses, partial credit card information, and IP addresses were revealed over the weekend. For most people, the release of this data could be a problem. But for military members, being outed as adulterers could ruin their lives.
The Uniform Code of Military Justice is explicit about its stance on cheaters: they should be punished. Adultery itself rarely leads to a court-martial, but the charge is often added to other accusations against a serviceperson to increase their punishment, and could lead to much more severe disciplinary actions.
How severe? Well, adulterers could be punished with a year in confinement and a dishonorable discharge, which would lead them to lose all veteran benefits. Some, like former President George W. Bush, have advised against taking all adulterers to the court-martial. But still, the rule remains a part of the UCMJ.
It’s possible that many of the military email addresses used to sign up for Ashley Madison were fake. The company didn’t verify all account information, and someone might have used a fake email address to avoid a spouse’s ire, although that seems like a bit of a stretch. But given the other information available — including location data and the last four digits of customers’ credit cards — it doesn’t seem hard to identify personnel.
And this isn’t just a problem for the members of the military themselves. If the data wasn’t made public and was instead used for the hackers’ personal gain, holding this information over the head of someone in the military could have led to blackmail. That’s one of the main fears of any major security breach.
Just look at the breach at Anthem, the nation’s second-largest health insurer. One of the primary concerns was that whoever hacked the company had access to data that could inform phishing attacks against the military or government. (Anthem later said the hackers receiving such information was highly unlikely.)
Imagine if someone combined information from the two sources. You know who someone is, where they live, and that they joined a site to help them cheat. Would it really be that hard to come up with a phishing attack, or a compelling bit of blackmail, which could lead that person to making some kind of mistake?
Then there is the “potential for an attacker to reuse the stolen credentials on other Internet services or even government systems,” says Marcus J. Carey, chief technical officer of vThreat, a company that facilitates network attack simulations for enterprise networks. Should the AM data be used to eventually gain access to popular social networks, it could lead to a more long-term security threat to national security — leading military or federal workers to lose clearances, according to Carey.

“Something like Facebook or Twitter could be used to send people to malicious sites. Other federal employees would trust links from other people they know and follow online. Huge phishing potential for federal and military personnel,” Carey told me.

It’s easy to make jokes about Ashley Madison users deserving to be revealed, or how the company might pivot to become a dating service for recent divorcées (Zing!). But underneath that dubious moral posturing lies a serious warning about how stolen data from any large website could be more dangerous than you’d think.
Still, it’s hard not to ask one facetious question: Why would people with so much to lose attach their Ashley Madison accounts to their work email? Carey can answer that, too.
“There is a popular saying in the cybersecurity world,” he says. “There is no patch for stupid. People are always the weakest link.”
Carey’s point about people being the weakest link in any security system might be troublesome for another reason: the potential that anyone affected by this hack used the same password across multiple sites. (Microsoft researchers said in 2014 that many people are unable to remember long, unique, complex passwords, so they often repeat them across multiple sites or use less-secure options.)
This might not be a huge concern, since Ashley Madison did use a decent encryption for passwords, as Quartz points out. Yet, dedicating all efforts to crack a particular account’s encryption is very possible. And depending on the person and the nature of their private online discussions, that could mean a lot of sensitive information could eventually slip into the wrong hands.
“When the OPM hack of government employees’ data occurred so close to the Ashley Madison hack pundits were quick to point out the possibility of applying big data analytics to a combined data set,” security industry analyst Richard Stiennon told Gigaom. “Now that the data has been dumped, it would be trivial to match up the records from OPM with anyone who works in government or has a security clearance and was also foolish enough to use their real name and email address on Ashley Madison.
“Of course journalists and researchers are all busy doing this today so those victims already have a problem,” he adds.
That’s more than a bit scary — not to mention that it may also increase the odds that hackers will attempt to use blackmail as a tactic to get what they want, according to Stiennon.
But there is one potential upside: Perhaps now people will take their privacy a little more seriously.
Ashley Madison’s breach is “Going to have a big impact on this sort of behavior in the future,” Stiennon said. “That is the upside of breaches. Nobody takes security seriously until they have been personally impacted.” Maybe now some of the country’s most valuable targets will be just a little bit more cautious.