Law 360 Reports that the operators of infidelity website Ashley Madison have agreed to shell out $1.6 million and implement enhanced data security measures to settle claims brought by the Federal Trade Commission and more than a dozen state attorneys general over a July 2015 breach that exposed information belonging to roughly 36 million users, the regulators announced Wednesday.
The FTC and attorneys general from New York, Vermont, Maryland and 10 other states, along with Washington, D.C., alleged that Ashley Madison parent company Ruby Corp., which was formerly known as Avid Life Media Inc., and a pair of related entities deceived customers, including 19 million Americans, by luring them to the site with fake profiles of women designed to convert them to paid members, and that they failed to take basic steps to safeguard users’ personal data, such as having a written information security policy and training for its employees.
While the settlement imposes a total judgment of $17.5 million on the website operators, they will only be required to immediately fork over $1.6 million of that sum, with the remainder being suspended due to their inability to pay, according to the regulators. The deal also requires the defendants to undertake a series of corrective measures, including implementing a comprehensive data-security program and having their practices assessed by a “qualified, objective, independent third-party professional” every two years.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” FTC Chairwoman Edith Ramirez said in a statement Wednesday. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users’ personal information from criminal hackers going forward.”
Rob Segal, who was appointed CEO of Ruby in mid-April and announced a total repositioning and rebranding of the Ashley Madison in July, said Wednesday was a “pivotal day” in the ongoing transformation process.
“Today’s settlement closes an important chapter on the company’s past and reinforces our commitment to operating with integrity and to building a new future for our members, our team and our company,” Segal said.
Ruby President James Millership added that the company has already implemented many new business practices and security improvements in the past 18 months, and that the settlement “reflects that the company has proactively made important, transformative changes since last year — and is committed to open, transparent communication.”
Reports that the FTC was probing Ashley Madison first came to light in July, nearly a year after the popular website — which hooks up married people looking to cheat on their spouses — disclosed that personal account and profile information of its 37 million members worldwide had been accessed by hackers bent on blackmail. A month after the theft, the hackers publicly posted the compromised personal data, which purportedly included information that had been retained on users who had paid $19 for a “full delete” service to scrub their data from the company’s records.
According to the FTC’s complaint, which it lodged along with the consent decree in D.C. federal court Wednesday, Ruby assured users that their date of birth, relationship status, sexual preferences and other personal data was private and securely protected, when in reality the security of the Ashley Madison website was lax.
Specifically, Ruby had no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security, factors which all contributed to the company failing to detect several intrusions into its networks in 2014 and 2015, the FTC asserted.
The federal and state regulators also took issue with the company’s use of use of “fembots” to impersonate real women on the site, which they alleged unlawfully tricked users into signing up for paid memberships.
“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website,” Vermont Attorney General William H. Sorrell, who took the lead among the state attorneys general, said. “There is not a different standard simply because a consumer adopts a particular lifestyle. Fraud is fraud and it is against the law. The companies providing these goods and online services must know that the law applies to them just like it applies to everyone else.”
The settlement also won praise Wednesday from privacy regulators in Canada and Australia, which the FTC noted had provided assistance to the FTC’s investigation.
The foreign duo separately came down hard on Ashley Madison earlier this year,when they teamed up to release a report that concluded that the site had insufficient or absent security safeguards in place at the time of a hack that exposed the profile information and email addresses of its millions of users worldwide, despite marketing itself to people as a discreet service.
“In the digital age, privacy issues can impact millions of people around the world,” Daniel Therrien, the privacy commissioner of Canada, said in a statement. “It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”
Ruby is represented by James Halpert and Tara Swaminatha of DLA Piper.
The FTC is represented by staff attorneys Shameka L. Walker and Andrea V. Arias.
The case is Federal Trade Commission v. Ruby Corp. et al., case number 1:16-cv-02438, in the U.S. District Court for the District of Columbia.