Cyber-blackmail: How valuable is your personal life?

Interesting news broke recently about the alleged breach of 37 million customer accounts at AshleyMadison.com. For those of you that are monogamous and may not know the site, Ashley Madison is like Match.com, but unapologetically markets itself to those who wish to cheat on their spouse or significant other.

Read Rook Security CEO JJ Thompson’s comments to CNBC about the Ashley Madison breach here

Owned by Avid Life Media, it reportedly had soaring sales of $115 million in 2014, along with users in 46 countries and says it is the second largest dating service in the world behind Match.com. It runs all sorts of ads (including TV) that rival what regular dating sites do. As of this spring, it was even contemplating an IPO. In May, it had the opportunity to pick up millions more customers reeling from a breach at rival site AdultFriendFinder.com.

Well, those IPO plans can be shelved, along with any hopes of continued growth. Sites that cater to those looking to engage in cheating (or any other nefarious behavior) operate entirely on the trust principle. Basically, in exchange for payment, those flocking to the site will never get caught or exposed for their actions. Now, in addition to cheaters wondering if their mate will ever find out what they are up to, they have to wonder if cyber criminals are going to find out who they are and ruin their lives.

While it would be easy to say that these cheaters are getting what they deserve, I will let others have that easy analysis of the situation. I will instead visit a darker place about why breaches of this type are so dangerous.

So much of today’s discussion around breaches center on theft and fraud. Namely, intellectual property, stolen credit cards, identity theft or outright stealing of funds. There has been very little focus on blackmail, because hackers had little use for involving the people they stole from. Hackers had already stolen all they would need to commit their crimes.

You could make a case for stolen protected health information being used for blackmail, but I’m willing to bet it wouldn’t be as drastic by itself as some predict. Medical histories are pretty boring. People already talk about their medical lives and there are not that many medical conditions that people would pay to keep quiet. Me? I have trivial aortic regurgitation in my heart and some broken bones in my feet due to running.

But stolen details of who is cheating, what their sexual histories are, sexual preferences, etc? Combined with personally identifiable information, a hacker could own people with that information. Make them fear what is known, how much is known and when it will be divulged.

It’s disturbing enough to think of this kind of blackmail on a mass scale, just as it is disturbing to think of all the relationships that are about to end. It gets more disturbing when you start imagining the scenarios where this blackmail flips from personal to professional and affects those in corporate or government sectors.

Start stringing together various breaches that have taken place: Anthem, OPM and Ashley Madison — all with tens of millions affected in each case. Ignore for a moment that all breaches likely were not done by the same organizations and correlated. We are getting to the point where someone could tell with a high degree of confidence that a government employee with a high security clearance is cheating on his wife and has been for years and has also picked up a number of sexually transmitted diseases along the way. Or a company officer has been cheating on her husband, terminated a pregnancy and is in charge of the R&D division at a government contractor.

This is where it gets nasty. It’s not altogether difficult to track down and identify people from these “dating” site breaches. It is even less difficult to pinpoint who they are professionally and see what secrets they may be willing to give up to keep from being exposed. Could it really be in an organization’s best interest to pull back responsibility from those who have put themselves in difficult personal situations that could lead to their employers from being blackmailed?

There is already a precedent for this. If you recall during the last recession, people were put in difficult financial circumstances due to job loss and home foreclosures. Federal employees in financial trouble saw their security clearances denied, revoked, or otherwise restricted due to concerns that they would be in a vulnerable position for bribery and could be influenced to leak government secrets to save their homes and families.

Every breach we experience today helps enrich what’s been previously stolen, much in the way that traditional companies pay to enrich the consumer data they already possess.

If this Ashley Madison breach is fully exposed to the public (right now only a small number of records have been released), it could result in judgment day for a lot of cheaters and millions of scorned spouses, but also thousands of governments and corporations. Given that the hackers of Ashley Madison have already claimed that they possess incriminating details on the rich and powerful, it’s pretty likely that involves some high-ranking people inside a lot of places hackers would like to access.