Ashley Madison website. ()
AshleyMadison.com, a website built to help cheating lovers meet their match, has agreed to settle claims that lax cybersecurity was responsible for a data breach that exposed the personal information of millions of customers last year.
As part of an agreement with the Federal Trade Commission and several state attorneys general, the parent company, Ruby Corp., will pay $1.6 million to resolve charges connected to the July 2015 hack. The breach exposed millions of customers’ addresses, credit card numbers and sexual preferences.
The sanctions announced Wednesday amounted to $17.5 million, but that penalty was largely suspended because of the company’s inability to pay, FTC Chairwoman Edith Ramirez told reporters on a conference call. If regulators later determine Ashley Madison’s parent company misrepresented its financial condition, it will have to pay the entire settlement amount.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” Ramirez said in a statement. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”
In August 2015, a month after the breach, hackers published the personal information of more than 36 million AshleyMadison.com users online. AshleyMadison.com retained some of that information after charging customers $19 for the “full delete” service to permanently remove their data from the site’s network.
James Halpert, co-chairman of DLA Piper’s cybersecurity practice, represented Ashley Madison and its parent company, formerly known as Avid Life Media Inc. Halpert was not immediately reached for comment Wednesday.
According to the FTC, Ashley Madison advertised that it received a “Trusted Security Award” when, in fact, it had received no such award and failed to take adequate data security measures.
The FTC and attorneys general also alleged that the website created fake profiles to lure in new users. That portion of the FTC’s complaint mirrored charges the agency brought in 2014 against another online dating site, the England-based JDI Dating Ltd. The company agreed to pay $616,165 in redress to resolve claims that it used computer-generated profiles to trick customers into upgrading their accounts and charged users a recurring monthly fee without their consent.
According to the FTC, AshleyMadison.com employed a similar strategy through August 2014, using fake profiles of women to entice 19 million U.S. residents into upgrading to paid accounts.
‘Unprecedented’ international cooperation
Regulators in Canada and Australia assisted the FTC in the investigation and reached separate settlements with Ashley Madison’s Toronto-based parent company. Ramirez said Wednesday the investigation involved an “unprecedented level” of international cooperation.
Ramirez said she expects the FTC to step up its cooperation with overseas regulators as it continues to enforce data-security standards.
“Certainly the fact that these issues impact consumers worldwide means international cooperation is becoming increasingly important,” she said.
“I see it as the beginning,” she added. “I think that’s going to be happening increasingly going forward.”
The FTC has established itself as a top cybersecurity cop in recent years. On Wednesday, Ramirez said she believes cybersecurity is “going to continue to be a top priority” for the agency after President-elect Donald Trump takes office next year.
The FTC was joined in the settlement by 13 states, along with the District of Columbia.
New York Attorney General Eric Schneiderman hailed the deal Wednesday. Ashley Madison’s site has had some 650,000 users in New York state.
“This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated,” Schneiderman said in a statement. “All companies have a responsibility to protect the privacy and personal information of consumers, and my office will continue to work with other state and federal authorities to protect consumers from online threats.”