MONTREAL—The ongoing fallout of the Ashley Madison data breach has highlighted the pitfalls of using work e-mail addresses for personal use.
The Toronto-based dating website, which promotes and facilitates extramarital affairs, was the victim of a recent cyberattack, with the personal information of millions of its users released publicly.
Hundreds of e-mail addresses in the data release appear to be connected to federal, provincial, and municipal workers across Canada, as well as to the RCMP and the military.
Karen Eltis, an online privacy expert and law professor at the University of Ottawa, says the cyberattack shows that employees across the country—and many who work in government—are in dire need of Internet privacy training.
“It may seem obvious but to many it’s not obvious,” she said in an interview.
“The web is not the Wild, Wild West and anonymity online is illusory,” she stressed.
More than 630 e-mail addresses used to sign up on ashleymadison.com end in gc.ca, which is the standard ending for e-mails used by employees of most federal government departments.
Moreover, research into the leaked files shows that 35 credit-card transactions on the site—by 10 different people—were conducted using House of Commons or Senate IP Internet addresses.
More than 75 credit-card transactions were conducted by 48 people on IP addresses linked to the Department of National Defence, the leaked files reveal.
Eltis said the hack demonstrates that employers across the country need to better train workers on how to ensure companies aren’t embarrassed—or worse, blackmailed—when this kind of data breach occurs.
“Online privacy awareness training is crucial to protect not only the employees but the employers’ reputation,” she noted.
“It may not say something about the company but it’s about the perception that is attributed to the company.”
At least one government agency already has instituted mandatory Internet privacy training as a result of data breaches.
In 2014, Canada’s cryptologic agency, Communications Security Establishment, learned that the data of several of its workers had been compromised.
It forced all employees to take a training course on how to protect digital information.
Prof. Teresa Scassa, another University of Ottawa law professor, said more and more employers are paying attention to training employees about basic understanding of Internet privacy issues.
“But the flip side is that employers have the obligation to protect the personal information that they have,” she added.
“Probably none of these individuals expected this to come out as public; they made the mistake that so many of us do—to trust their personal information to a company.”
Scassa also warned that the e-mails used to sign up to Ashley Madison weren’t verified, meaning many of the government e-mail addresses in the company’s system might have been used by people who did not own them.
“There does seem to be some levels of naivete from people not thinking through all the consequences [of using work e-mails] and learning these things the hard way,” she said.