When hackers released email addresses from the Ashley Madison website late last month, they included several listings of .gov email addresses from the City of Rockville and Montgomery County.
Now, those localities are investigating why the email addresses of at least 10 active county employees and four city employees ended up in the data dump of the website encouraging married adults to have affairs.
One county employee email address was included on the lists 12 times, while another was named two times.
All the rest of the county and city employee email addresses appeared once, each on various websites featuring the hacked, but unverified, data.
The nature of the hack raises questions about whether those specific employee email addresses were ever actually involved with Ashley Madison or whether the employees were somehow set-up.
If they were involved with the website, that would raise concerns about whether public employees would use their government-issued email addresses to access it.
Rockville city spokesperson Marylou Berg noted in a Sept. 8 email the city manager “has directed IT staff to inspect certain electronic records.”
Barb Matthews, the city manager, confirmed in a separate email the matter is under investigation.
“We are conducting a review to determine if any current city employees have violated city policy. At this point, we don't know what the results will be,” she said in a Sept. 9 email.
“Given that the findings may be handled as a personnel matter, it is inappropriate to comment on specifics of the review at this time. I expect to wrap up my review within the next week. If I am able to provide more information, I certainly will do so at that time,” she added.
According to Matthews, “no city funds were used to purchase anything from the website,” since the city employees in question cannot use publically issued credit cards.
“Some have access to purchasing cards, and those are restricted to certain uses,” stated Matthews. “Additionally, all expenditures go through a multi-layered process to ensure accountability.”
County executive spokesperson Patrick Lacefield confirmed 10 county employees or their email addresses were on the list and that two email addresses come from retired employees.
“Of course we have no idea if these are legitimate signups since folks can sign up with other people’s names and verifications are not sent to email addresses,” stated Lacefield in a Sept. 9 email.
He noted Ashley Madison has been blocked on County computers since 2003.
According to Lacefield, none of the email addresses have accessed through County computers since at least Jan. 1, 2014 but “they were blocked before that.
“Only exceptions to blocked access are with explicit written permission for investigative purposes,” he added, mentioning there is no evidence any County employees accessed the site during “working hours.”
Lacefield added the investigation I ongoing but, as of Wednesday, county staff had not found “evidence of public expenditures by County employees.”