The AshleyMadison.com hack gained prominence in the national news when it exposed cheating spouses on the Internet. The infidelity website leak bared celebrity names such as Josh Duggar, Snooki’s husband Jionni LaValle, lead prosecutor of the Casey Antony case Jeff Ashton, and many more. Upwards of 36 million e-mail accounts were leaked, and, interestingly, more than 15,000 of those users registered with their business e-mail addresses. So why do employees use their work e-mails for personal sites, especially for a site as controversial as AshleyMadison.com? An obvious answer is evident in the nature of AshleyMadison.com; they did not want their significant others to find out and did not consider the exposure to their employer by inappropriate use of their work e-mail address. Other than paring avenues for infidelity, why else do some people register for personal websites using their work emails?
The answer, most likely, is convenience. This was the answer my own colleagues gave when I saw them using their work e-mails on personal websites at past jobs. People have constant access to their work e-mail while it is often discouraged to use personal accounts and phones during work hours. What do they do when they want the status of something they ordered online? They use their business e-mail address, which they can check for updates without feeling taboo.
Moreover, many companies have implemented Data Loss Prevention (DLP) policies to prevent employees from using their personal accounts at work. This is often done to avoid confidential information going home or to a competing company.
Some employees also erroneously believe that when they leave their current job, their e-mails will vanish. At my previous job, e-mail accounts would become inactive approximately one month after leaving. Nothing ever vanishes, however, unless there is a retention policy that dictates deletion after a certain period of time.
Ultimately, someone might use their work e-mail for personal communication simply because they can get away with it. With no written policy, no policy implementation or enforcement, and no monitoring solution, such as a Security Event and Incident Management (SEIM) tool, employees are left to their own judgement.
Equally important, passwords are now getting pulled from these leaked accounts. Qz.com created a graphical chart presenting the statistical findings on the 100 most common passwords and their strength levels. Are these employees also using their work passwords along with their work e-mail? If so, there is a huge risk of data leaks and exposure for their companies. Be wary of using the same password for your work and personal accounts or you might just find yourself, or your company, more exposed then you ever intended.