I never expected to be the target of porn blackmail

Karlin Lillington: Although I knew the specific threat was a bluff, I had wider worries

Once your data is breached – even just a single login and password – it leaves you vulnerable in ways you might never imagine. Photograph: iStock

Once your data is breached – even just a single login and password – it leaves you vulnerable in ways you might never imagine. Photograph: iStock

 

Earlier this week, while checking my spam folder in search of a wayward email, one message caught my eye. The subject heading was one of my own login names and its matching password.

Clicking it open, I discovered a long, impudent email in messy English telling me that the author had installed keylogging software on my computer when I (supposedly) visited a porn site. The writer claimed to have activated the camera on my computer to record me visiting the site, as blackmail evidence. And they also claimed to have full access to my computer.

If I sent $3,000 in bitcoin to an account, the person would destroy the video. If not, the person would mail it to all my contacts, gathered by the malware from my email, phone and social media contacts. If I wanted them to prove this wasn’t a bluff, they would send the video to a random 11 contacts (why 11? But then, I suppose, in hacker world, why not?).

I had a day to make the payment to prevent this humiliating Armageddon.

I knew the specific threat was disconnected from reality, because I hadn’t visited a porn site since working on a story for the Guardian in 1998 on how the porn industry tended to be the earliest adopter of new technologies. (It was a challenging, but fascinating story to do, and a syndicated fragment of the much longer article remains online.)

Back then, there were no cameras on PCs unless you attached your own, so I knew there weren’t 20-year-old videos drifting around.

I checked with a friend and expert on computer security, who reassured me that the email had been doing the rounds for a while and to disregard it as a bluff.

But it’s a particularly devious and probably lucrative bluff because, like it or not, pornography is popular online: one in eight Americans regularly visits such sites. People also tend to use the same logins and passwords at multiple sites. So that email threat must terrorise a certain number of people into believing every word of it.

Still worried

Even though I knew the porn threat was false, the letter worried me. They had one login and password combination. Did they have others? Was there hidden malware on my laptop? Did they have access to my work and home email accounts, my credit card numbers, my social media? Was I going to have to methodically go through and change passwords on dozens of sites, cancel credit cards, and disinfect my laptop? Had the purported malware sent itself to all my contacts, infecting hundreds of others?

Because that’s how hacks work. My information was probably part of multiple tranches from hacked servers and networks, sold on the dark web. Anyone could have it now. But most likely, this particular blackmailer is simply using a purchased list of email addresses, matched to logins and passwords, to generate a standard email in which the relevant subject detail is paired to its matching email address.

This is just one devious way in which hacked data can be put to unexpected purposes that transcend how many of us think about, and may be affected by, hacks and data breaches. In this case, it’s pure social manipulation: the hacker isn’t on your PC at all, and doesn’t have the information or evidence they claim, but you don’t know that. For many people the threat will ring true, and a payment will be made.

Wider worry

This isn’t a cautionary tale warning against reusing passwords or visiting porn sites, or failing to tape over the camera on your internet-accessing devices. Nor is it an amusing anecdote.

It’s a reminder that once your data is breached – even just a small amount, like a single login and password – it leaves you vulnerable in ways you might never imagine. I certainly never expected to be the target of porn blackmail. That the threat to me was meaningless because I couldn’t be blackmailed over something that didn’t happen, didn’t help assuage the wider worry that the person might also have full access to other information.

This – exactly this – is why strong consumer protections and laws that require timely disclosure of data breaches are crucial. It’s why the Facebook-Cambridge Analytica scandal must shock, or this week, the disclosure that Google knew for months that personal data could be exposed through a software glitch on its Google+ social media platform yet didn’t report it, a concern Data Protection Commissioner Helen Dixon is examining.

It’s why the General Data Protection Regulation, with its mandatory breach disclosure requirements and its meaningful fines (if used), is so important. And why the EU and US must be able to prove the viability of transatlantic data transfer agreement Privacy Shield – pertinent to transfers that involve some of our most sensitive data, moved about by some 4,000 companies – when it has its second annual review in coming weeks. 

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.