AshleyMadison.com Settles FTC, State Charges From 2015 Data Breach

WASHINGTON—The operators of the Toronto-based AshleyMadison.com dating site have agreed to settle Federal Trade Commission and state charges that they deceived consumers and failed to protect 36 million users’ account and profile information in relation to a July 2015 data breach of their network. The site has members from more than 53 countries.

The settlement requires the defendants, Ruby Life Media, to implement a comprehensive data-security program, including third-party assessments, according to an announcement Wednesday from the FTC. In addition, the operators will pay a total of $1.6 million to settle FTC and state actions.

“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC Chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”

AshleyMadison.com rocketed to prominence before one of the most notorious hacks in the history of the Internet dealt it a devastating blow in the summer of 2015.

With the cheeky tagline of “Life is short. Have an affair,” Ashley Madison bills itself as the world’s leading married dating service for discreet encounters with more than 50 million “anonymous” members in 53 countries. 

The data breach cost Ruby Life Media more than a quarter of its revenue, Chief Executive Rob Segal and President James Millership told Reuters in July.

The two executives told the news service the company was spending millions to improve security and looking at payment options that offer more privacy.

According to the FTC complaint, until August 2014, operators of the site lured customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members. Only users who pay to access the site can use all of its features, such as sending messages, chatting online in real time, and sending virtual gifts.

According to the FTC complaint, the defendants assured users their personal information such as date of birth, relationship status and sexual preferences was private and securely protected. But the FTC alleges the security of AshleyMadison.com was lax.

According to the complaint, the defendants had no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security.

Intruders accessed the companies’ networks several times between November 2014 and June 2015, but due to their lax data-security practices, the defendants did not discover the intrusions, the agency has alleged.

On July 12, 2015, the companies’ network experienced a major data breach that received significant media coverage. In August of 2015, the hackers published sensitive profile, account security, and billing information for more than 36 million AshleyMadison.com users. According to the complaint, this included information that the defendants had retained on users who had paid $19 for a “Full Delete” service to purportedly remove their data from the site network.

The complaint charges the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure, that they had received a “Trusted Security Award”, and that they would delete all of the information of consumers who utilized their Full Delete service. The complaint also charges the defendants with misrepresenting that communications received by members were from actual women when in fact they were from fake engager profiles.

Finally, the FTC alleges that defendants engaged in unfair security practices by failing to take reasonable steps to prevent unauthorized access to personal information on their network, causing substantial consumer harm.

In addition to the provisions prohibiting the alleged misrepresentations and requiring a comprehensive security program, the proposed federal court order imposes an $8.75 million judgment which will be partially suspended upon payment of $828,500 to the Commission. If the defendants are later found to have misrepresented their financial condition, the full amount will immediately become due. An additional $828,500 will be paid to the 13 states and the District of Columbia.

The FTC worked with a coalition of 13 states—Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont—and the District of Columbia to secure a settlement against the following defendants: 1) Ruby Corp, formerly known as Avid Life Media Inc.; 2) Ruby Life Inc., also doing business as AshleyMadison.com, and formerly known as Avid Dating Life Inc.; and 3) ADL Media Inc.

In addition, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner provided assistance to the FTC’s investigation and reached their own settlements with the company. To facilitate cooperation with its Canadian and Australian partners, the FTC relied on key provisions of the U.S. SAFE WEB Act that allow the FTC to share information with foreign counterparts to combat deceptive and unfair practices that cross national borders.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 3-0. The FTC filed the complaint and final order in the U.S. District Court for the District of Columbia.