Middle Georgians caught up in Ashley Madison information leak

FILE - A June 10, 2015 file photo shows Ashley Madison's Korean web site on a computer screen in Seoul, South Korea.
FILE - A June 10, 2015 file photo shows Ashley Madison's Korean web site on a computer screen in Seoul, South Korea. AP Photo

A recent leak of stolen data from the infidelity website Ashley Madison is hitting home, with thousands of users across Middle Georgia.

While it’s difficult to validate the authenticity of the data, it appears to include email addresses from local, state and federal government entities throughout the midstate, including Robins Air Force Base, schools and county offices.

Clint Murphy, who chairs the government accountability agency Common Cause Georgia, said the use of work time and emails for such a website is a “completely inappropriate use” of government resources.

“I’m not going to get into what people do in their own time, but they should not be using their government email address for that purpose,” he said. “If you want to go and do whatever that site is for, use your Gmail account and use it when you’re not at work.

“But it is inappropriate to use your government-issued email address to go on that kind of website for any purpose.”

Last month, hackers released a little more than 10 gigabytes of account and credit card information from more than 30 million users of the site.

The data, which The Telegraph reviewed, included members’ names, user names, profile information, addresses, email addresses, phone numbers and birth dates, as well as details of credit card transactions.

Cybersecurity specialists have said the information appears to be genuine, but it doesn’t mean that all of it is reliable. The website apparently does not verify email addresses, and it’s possible that a user could give the site a bogus email address or one that belongs to another person.

Nelbert St. Clair, a lecturer on information technology at Middle Georgia State University, said he believes the legitimacy of the data leak because of some prominent figures who have reportedly been discovered using the website with their personal credit cards, according to media outlets.

“(Emails) cannot be used to identify a person, but a credit card can,” he said.

The leaked data included about three dozen Middle Georgia email domains from Robins Air Force Base, Houston and Bibb governments, as well as four schools. The Associated Press reported that some 15,000 government email addresses nationwide apparently were used to access the Ashley Madison website, and that number includes thousands of .mil addresses used by members of the armed forces.

“We are aware of the online report identifying military email addresses allegedly associated with established accounts with both Ashley Madison and Established Men websites,” said Tannyr Watkins, in RAFB’s public affairs office. “The Air Force is working to gain an appropriate understanding of the situation.”

Watkins confirmed that “a few” RAFB email accounts were used on the website.

“Airmen are expected to use government resources appropriately,” she said. “Specifically, personnel may not use government computers for commercial activities that are incompatible with public service. Airmen are subject to discipline for inappropriate use.”

Barry Holland, director of administration for the Houston County Commission, said he wasn’t aware of any county employees whose emails had been caught up in the Ashley Madison data leak.

“Obviously our hope is that none of our 700 plus county employees would be involved,” he said. “To my knowledge, none are.”

He added that Houston County has a policy governing Internet usage of prohibited websites or other websites that would be deemed inappropriate in the workplace.

Depending on the infraction, employees who violate the policy could be disciplined with a verbal or written warning, suspended with or without pay and, ultimately, fired.

St. Clair, who has spent 18 years in the Army National Guard, said the Department of Defense doesn’t pay close attention to its own email traffic except in specific circumstances.

“The government doesn’t really monitor incoming emails unless there’s a virus attached to it or the email has a large attachment going out,” he said.

He added that incoming emails to a government domain are mostly scanned for viruses, and outgoing emails can be scanned for key words that might reveal anything sensitive, such as Social Security numbers or top secret information.

Any large, outgoing attachments are also scanned in the same way to ensure they’re not confidential documents.

But when it comes to computer system security, St. Clair said the biggest threat to organizations often comes from within.

One measure, he said, that companies and technology users could take to protect themselves is known as a “two-factor” or two-step authentication.

For example, it could be a requirement to have an access card with a computer chip -- as well as a password -- before you can obtain access to any system.

But St. Clair thinks there’s not much that companies can do to prevent this type of data breach.

“If somebody wants to steal your car, they will find a way to steal your car,” he said. “If somebody wants to break into somebody’s network, they will find a way.”

To contact writer David Schick, call 744-4381 or find him on Twitter@davidcschick.

Related stories from Macon Telegraph