Indiana agencies, cities probe worker email addresses linked to Ashley Madison … – Indianapolis Star
Officials are investigating after dozens of .gov email domains with ties to Indiana city and state government entities were among the millions of member email addresses outed in the Ashley Madison data breach.
An unverified list of .gov and .mil email domains purportedly belonging to members of the spouse-cheating website was posted this week by an anonymous Internet watchdog. Among them were eight domains tied to the city of Indianapolis at indy.gov.
“The city does have a policy that limits the use of city email addresses to official business purposes,” said Brad Jacklin, press secretary for Mayor Greg Ballard. “We recognize that it’s possible that one or more indy.gov email addresses that are listed on the data dump may indicate a violation of that policy. Their appearance doesn’t necessarily mean that the individual ever visited the site or signed up.”
Hackers who targeted the Ashley Madison website on Tuesday released millions of email addresses registered to the matchmaking service. The hackers said they exposed the information because the Toronto-based owner has refused to comply with their demands to shut down the website.
AshleyMadison.com says it has 39 million members. The website does not require email addresses to be verified, so members could use another person’s email address to sign up and log on.
Other Central Indiana domains listed in the data are tied to Carmel, Greenwood, Hamilton County and Madison County.
Greenwood officials said they quickly looked into the matter as soon as they found out.
“We are aware that there were two @greenwood.in.gov emails on the list,” said Krista Taggart of Greenwood’s Office of Corporation Counsel. “However, we’ve done a forensic search of our email and those were invalid email addresses, and we do not have any evidence that any of our employees were improperly using government email addresses for Ashley Madison sites.”
Several .gov domains also show up with ties to state agencies such as Indiana State Police, Indiana Department of Correction, Indiana Commission for Higher Education, Indiana Public Retirement System and the attorney general. They, too, are probing employee activity.
“We are currently looking into the validity of the email addresses,” said Doug Garrison, IDOC’s chief communications officer.
Cities across the country, including ones in Ohio, North Carolina, South Carolina and Texas, also are investigating domains listed in the leak. The hacker data indicates that 15,000 addresses ending with a .gov designation were listed as an Ashley Madison customer.
At least four North Texas cities are looking into whether their employees used municipal email accounts to sign up, and three city of Cincinnati email domains were listed, according to The Cincinnati Enquirer and WFAA-TV.
“We are going to pursue it,” City Manager Harry Black told the Enquirer on Wednesday night. “We have some information but not enough. I don’t know if it would be a fireable offense, but we will look at our Internet-use policy.”
Many other government-issued email domains from across Ohio were listed in the data breach, according to an Enquirer analysis.
However, “jumping to conclusions about the origination of that IP or email address could be dangerous,” civil attorney Tim Hoch told WFAA-TV.
“What if someone was doing an online impersonation?” Hoch asked. “We see that quite a bit in our practice … especially the divorce side, folks who impersonate others online.”
Using a government email address to register for an adultery website may seem foolish, but CybelAngel Vice President of Operations Damien Damuseau said there was a certain logic to it. Using a professional address, he said, keeps the messages out of personal accounts “where their partner might see them.”
“It’s not that dumb,” Damuseau said.
Ashley Madison’s owner, Avid Life Media Inc., has previously acknowledged suffering an electronic break-in and said in a statement Tuesday it was investigating the hackers’ claim. U.S. and Canadian law enforcement are involved in the probe, the company said.
The AP wasn’t immediately able to determine the authenticity of the leaked files, although many analysts who have scanned the data believe it is genuine.
TrustedSec Chief Executive Dave Kennedy said the information dump also included full names, passwords, street addresses, credit card information and “an extensive amount of internal data.” In a separate blog, Errata Security Chief Executive Rob Graham said the information released included details such as users’ height, weight and GPS coordinates. He said men outnumbered women on the service five-to-one.
Call Star reporter Justin L. Mack at (317) 444-6138. Follow him on Twitter: @justinlmack.