The Ashley Madison Hack Is Not OPM (But the Government May Be Watching It Anyway)

At some point on Monday, the hacker group Impact Team made good on a promise to release personally identifiable data of some 38 million users of AshleyMadison.com, a site that bills itself as a matchmaker for the adulterous. By Wednesday, the data dump had become international news.

A California-based data researcher who goes by t0x0 on Twitter found the set online and did some basic parsing and statistical analysis. Among the more predictable revelations: most of the registered accounts — 28 million — belong to men. And thousands of the accounts appeared, at least upon initial inspection, to belong to military servicemembers.

In the database, there were 6,788 accounts connected to emails at army.mil; at navy.mil, 1,665; usmc.mil, 809; af.mil, 657; and mail.mil, 206. And there were a few other domains with national security implications: dhs.gov, 45; whitehouse.gov, 44; and fbi.gov, 5. (Here’s a list of all the individual .mil domains, and here are lists of the navy.mil and af.mil domains.)

What’s the real blackmail potential here? Probably limited, since the material has already been made public. Moreover, much of the account information is obviously inaccurate — many of the email addresses use false domains, and it’s a good bet that many more are simply made up. AshleyMadison.com reportedly neither required nor checked to make sure an applicant’s given email was valid.

“Clearly, there are plenty of false records, including those from the White House, or yahoo.gov,” said CSO Online’s Steve Ragan. “However, the records with full account details, including profiles matched to personal and financial records, are going to be harder to dispute.” That is to say: credit card information is a more reliable identifier.

Does it represent a national security risk?

Patrick Skinner, a former CIA operative now with the Soufan Group, doesn’t think so. In an email, he called it “a minor issue in terms of matching names on the Madison data dump and the OPM hack. Might bring up awkward blackmail attempts perhaps. I’m sure people will try. But one can claim the emails are spoofed.”

People in the national security community are already under extra scrutiny, but that can ratchet up if you’re having an extramarital affair, or are spotted trolling for one. That makes you a blackmail risk, and therefore a potential insider threat.

At a Defense One LIVE event last month, Patricia Larsen, co-director of the National Insider Threat Task Force, said marital issues were one of many potential indicators that they would look at as part of a continuous evaluation.

“There’s a lot of information about you that’s already out there. We want to put it together in one place so we can short circuit the information gathering point,” Larsen said. “We haven’t waited three, four, or five years to see that, you’ve got some nasty credit problems, going through a nasty divorce, and are starting to get worse and worse evaluations over time.”

Someone attempting to access AshleyMadison.com from an government-issued device or from a work computer on the navy.mil or mail.mil domains probably doesn’t pose much of a corruptable threat, at least nothing that the Defense Department isn’t already aware of.

A Defense Department official familiar with the insider threat program said, “It depends on how deeply they were getting into the sites from work. There’s a possibility we would have already found them through user activity monitoring. We monitor for certain things.”

In other words, stop screwing around and get back to work.