Previously we highlighted potential harm to individuals that could result in a Social Security number data breach. Now, let’s consider the potential ramifications if you are exposed in an online membership information breach.
Certainly anyone with a passing interest in cybercrime has heard of the data breach and exposure of 37 million records from Ashley Madison, the online platform promoting extra-relational affairs. Due to the explicit purpose of the website and the oft assumed implications that a membership in that site carries, the reports often included antidotes of collateral damage done to those whose privacy was violated, but dating platforms are not the only membership-based communities on the web. There are groups based on religious affiliation and prior military service. There are groups for those with specific medical issues and groups for those seeking support for mental health. You can even find groups that promote professional affiliations and groups that connect stay-at-home parents of young children. Online membership groups may be identified as those sites that have “members only” areas, offerings, and services in which visitors must implicitly or explicitly affirm their solidarity with the organization’s values, purposes, and subculture.
The USA Cycling breach, was discovered March 16, 2016. The data breached included personally identifiable information and username / password of current and past USAC members. However, what makes a membership information breach different is that the information associates you with the subculture, purpose, agenda, and belief system of the organization. This creates a unique set of collateral damage possibilities to which individuals may be subjected:
- Targeted Attacks from Spear Phishing to Death Threats: Association with a religion, a political view, sexuality, or any number of demarcations can make you a target of those who have strongly opposing views – we generally understand this. But now, the FBI has started seeing a rise in pro-ISIS hacking groups that are putting their efforts into creating “kill lists” based on personal information obtained through data breaches. This takes the concept of targeted attacks to a whole new level – being put on a member-specific hit list.
- Potential Loss of Job: Organizations are increasingly concerned with the image portrayed by their employees, regardless of whether they’re on the job or on their own time. When a membership information breach allows the public to infer that a person’s views or behaviors are ethically divergent from their company’s policies, companies may find a reason to terminate employment for cause.
- Blackmail and Extortion: When confidentiality about a group subject is desired – for example, an online support group for parents of teenage drug addicts – exposure of that information gives criminals leverage to attempt blackmail or extortion against the victims. Often such victims will be reluctant to seek legal help because of the nature of the information which the criminals are leveraging.
The data compromised in a membership information breach is similar in many respects to the data in a PII breach, but the collateral damage that may be caused to individuals through association with the membership is much worse – possibly even life-threatening. PII identifies you; membership information allows criminals to make accurate assumptions about those subjective or non-objective things about you, your values, and what “makes you tick.” Therefore, membership information has the inherent capability to be far more damaging than regular personal information. Credit monitoring doesn’t really help in these circumstances and unfortunately there is no other legal recourse for the victims.
In the next article, we’ll reveal the potential damage that can be done if your online activities information is collected by hackers.