Fake women, fake privacy, real hack – that’s the way my eulogy for Ashley Madison’s IPO would start. Fake women, because the ratio of female names to male names in the hacked database dump is skewed extremely male. Fake privacy, because everyone now has access to Ashley Madison’s private database. Real hack, because the hackers have actually ruined people’s lives.
Use this handy tool to find out if your Ashley Madison account data is available online.
CNBC’s Jon Fortt said the Impact Team (the people who claimed credit for the hack) committed the “politest possible hack,” because more nefarious hackers would have kept the data secret and blackmailed people with it.
He’s right, of course. As bad as this is, it could have been a lot worse. Our current law enforcement infrastructure was not built to investigate 30 million simultaneous blackmail cases. According to Business Insider, some criminals have already tried to use the information from the Ashley Madison hack for blackmail. But as Jon pointed out, there’s no reason to pay the blackmailers; the information is already publicly available. What if it weren’t?
Promiscuous Login
Before Facebook, Twitter and Google login tools (say, three to five years ago) most people were all too happy to enter their data into any website that asked for it. Websites loved to collect registration data – it was (and still is) important for customer relationship management (CRM) as well as for financial reporting.
How Many Websites Have Your Data?
It’s a reasonable question. Ten, 20, 50, 100? How many of them do you still use? How many of them are still in business? What credit card numbers did you expose? What personal information could be aggregated? If you are an average user, the answer is simple: all of it.
Attack Surfaces
There is no way to go back and fix all of this. We are all vulnerable to attack from places we have long forgotten. In some cases, hackers will be breaking into the equivalent of an abandoned public park. No harm, no foul. But in other cases, sensitive information (such as the data exposed from Ashley Madison) will be made public. It’s a virtual certainty.
What to Do About It
Back in May 2011, I wrote a book entitled “Overcoming the Digital Divide: How to Use Social Media and Digital Tools to Reinvent Yourself and Your Career.” There’s a section about email that was true then and it’s even truer today. You need no less than four separate email addresses: work email, personal email, junk email and super-secret email. Work and personal are self-explanatory. Junk email is for website and app sign-ins that require double opt-in or verification, but you never use it for anything else. It doesn’t need a spam filter – everything in the account is basically spam. As for your super-secret email address … I’ll let you decide what content may be associated with it. I’ll just remind you that a secret is secret only if you keep it to yourself – once you share it with anyone, it’s no longer secret.
If you want to take this to the next step, it may be time for a burner phone. That’s an inexpensive pre-paid cellphone you get at a convenience store. Use it up and throw it away. If you think it’s too expensive to keep buying phones and you want to top off a burner phone with new minutes using your credit card, be aware that it is no longer a burner phone (it has a MAC address, and you’ve just associated a credit card with it). Burner phones and associated minutes should be purchased for cash (green dollar bills) and discarded after use – burned!
Privacy Should Not Be Confused with Anonymity
Eliot Spitzer sent a private wire transfer to pay for his hookers; he did not make an anonymous one. If you need a credit/debit card to transact web business, buy a Visa or MasterCard gift card or a gift debit card with cash and use it for the single transaction. This may seem like too much effort, but some sites only accept credit/debit cards, and when you want to secure your privacy, you need to use tools that enable anonymity.
A More Practical Solution
If you’re going to do some “underbelly of society” stuff, take the time to learn how to do it. If you are not willing to learn to keep your private life private, then don’t do any of it online. Repeat after me: “There is no reasonable expectation of privacy in the 21st Century.” Go ahead, say it out loud – say it until you believe it.
In practice, you should become expert at using your four separate email accounts. I really would not worry about credit card data – that is a problem for the issuing bank, not for you. Social Security numbers are also not a big deal. (Some people and organizations that scare people for a living will tell you otherwise.) You need to be personally targeted for that kind of identity hack to really have an impact on how you spend your day.
One Last Thing
Today is a great day to ask your IT department, your CIO or your CTO to give you an status update about your security and business continuity plans. What would your day be like if you were the CEO of Ashley Madison? It’s an important question to ask. Who would be called first? Who would speak to the press? Who would deal with XYZ? We work with some of the world’s best cyber security and business continuity professionals. If you’d like to speak with someone, just give us a call.