AshleyMadison.com Operators Settle Charges from 2015 Data Breach

Profile information for 36 million users was stolen in the hack

AshleyMadison.com Operators Settle Charges from 2015 Data Breach
Image: Pixabay
December 12, 2016

The operators of dating site AshleyMadison.com have agreed to a settlement of Federal Trade Commission (FTC) as well as state charges of consumer deception and the failure to protect account and profile information for 36 million user accounts linked to a massive hack of their network in July 2015.

The terms of the settlement require the defendants to put into place a comprehensive data-security program, including assessments made by third parties. The operators will also pay $1.6 million to settle FTC and state actions.

"This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide," said FTC Chairwoman Edith Ramirez. "The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users' personal information from criminal hackers going forward."

"Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website," said Vermont Attorney General William H. Sorrell, "I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it's great to see that continuing."

"In the digital age, privacy issues can impact millions of people around the world. It's imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live," said Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada.

"My office was pleased to work with the FTC and the Office of the Canadian Privacy Commissioner on this investigation through the APEC cross-border enforcement framework," said Australian Privacy Commissioner Timothy Pilgrim. "Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights."

The FTC alleged in its complaint that, up until August 2014, the site's operators lured customers—including 19 million Americans—to the site using fake female profiles designed to convert them into paying members. Only paying users are able to access all features of the site, such as sending messages, chatting online in real time, and sending virtual gifts.

The FTC claimed that the defendants assured the site's users that their personal information—such as date of birth, relationship status, and sexual preferences—was private and securely protected. However, the agency claims, the site's security was actually lax.

The complaint alleged that the site's operators had no written information security policy, no reasonable access controls, inadequate security training for employees, no knowledge of whether or not third-party service providers were using reasonable security measures, and no measures for monitoring the efficacy of their system security.

The FTC claims that, due to their lax data-security practices, the operators did not discover several hacks of their networks that took place between November 2014 and June 2015.

A major data breach of AsheyMadison.com's network occurred on July 12, 2015, an incident that received significant coverage by the media. The intruders published sensitive profile, account security, and billing information in August 2015 for more than 36 million users. The complaint alleges that the published information included data retained by the defendants about users who had paid the company $19 for a so-called "Full Delete" service to supposedly remove their information from AshleyMadison's network.

The defendants were charged with misrepresenting that they had taken reasonable steps to make sure that the site was secure, that they had received a "Trusted Security Award," and that they would delete all information for users who paid for the Full Delete service. They were also charged with misrepresenting that communications their members received were from actual women when, in reality, they were from fake engager profiles.

Finally, the FTC claims that the operators engaged in unfair security practices by not taking reasonable steps to prevent unauthorized access to personal information on their network, causing substantial harm to consumers.

In addition to prohibiting the alleged misrepresentations and requiring a comprehensive security program, the final order imposes a judgment of $8.75 million to be partially suspended upon payment of $828,500 to the FTC. The full amount of the judgment will immediately become due if the defendants are later discovered to have misrepresented their financial condition. Furthermore, an additional $828,500 will be paid to the 13 states involved in the case and the District of Columbia.

The agency collaborated with a coalition of 13 states—Alaska, rkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont—and the District of Columbia to secure a settlement against the operators: ruby Corp, formerly known as Avid Life Media Inc.; ruby Life Inc., also doing business as AshleyMadison.com, formerly known as Avid Dating Life Inc.; and ADL Media Inc.

The FTC's investigation also received assistance from the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner, which reached their own settlements with AshleyMadison.