DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

$17.5 Million Settlement With Owner Of Ashleymadison.com In Joint Multi-State And FTC Agreement

Posted on December 14, 2016 by Dissent

Settlement Follows Investigation Finding That Adult Dating Website Maintained Lax Security Practices, Misled Consumers About Its Data Security, And Created Fake Female Profiles To Entice Male Users

In Addition to Penalties, Settlement Requires The Website To Implement Stronger Data Security Program And Cease Deceptive Practices 

NEW YORK—Attorney General Eric T. Schneiderman joined twelve other states, the District of Columbia, and the Federal Trade Commission Wednesday in announcing a $17.5 million settlement with ruby Corp., which owns the dating website AshleyMadison.com. The settlement follows an investigation into the July 2015 hack of the website that resulted in the online publication of user information for millions of AshleyMadison.com members, including photographs, usernames, email addresses, communications, and other profile information.

The settlement includes an immediate payment of $1,657,000 divided amongst the states and the Federal Trade Commission, of which New York will receive $81,330.94. The remainder of the $17.5 million payment is suspended based on ruby Corp.’s inability to pay. Up to 652,627 New York residents were members of Ashley Madison at the time of the security breach.

“This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated,” said Attorney General Schneiderman. “All companies have a responsibility to protect the privacy and personal information of consumers, and my office will continue to work with other state and federal authorities to protect consumers from online threats.”

The investigation found lax data security practices including a failure to (i) maintain documented information security policies or practices; (ii) utilize multi-factor authentication to secure remote access; and (iii) formally and adequately train company staff and management.

The Ashley Madison website also made several misrepresentations regarding its data security, including a “Trusted Security Award,” which appears to have been fabricated and had not been awarded by any certification entity; use of an emblem indicating “Certified Zero Risk TM,” which had not been awarded by any certification entity; and representations that it was a “100% Discreet Service” and “100% Secure.”

The Ashley Madison website also offered a “Full Delete” option to consumers.  The “Full Delete” option was advertised to consumers as the ability to “remove all traces of your usage for only $19.00” and it was the only option for consumers who wanted to permanently delete their account profiles. However, the website retained certain information of consumers who purchased the “Full Delete” option for up to twelve months in order to address requests for chargebacks. Additionally, the website did not delete all consumer information from its system, even after twelve months. In particular, the company failed to delete users’ photographs, and in some instances chat communications, nicknames, and sexual preferences. Many users whose information was disclosed in the July 2015 security breach had purchased the “Full Delete,” in some cases more than twelve months prior to the security breach.  As many as 7,989 New York residents had purchased the “Full Delete” option at the time of the breach.

Ashley Madison also created fake female profiles (which it called “engager profiles”) that they used to entice male users who were using Ashley Madison’s free services, to purchase credits to communicate with other members, including “members” with fake profiles. In some instances, it used portions of the profile photographs of actual users who had not had account activity within the previous year as the photographs in the fake profiles that it created, cropping or hiding users’ faces but not their bodies.

In addition to monetary penalties, ruby Corp. agreed to cease engaging in certain deceptive practices, to not create fake profiles, and to implement a stronger data security program. The multistate enforcement action consisted of Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, North Dakota, Nebraska, New York, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia.

New York was represented by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.

SOURCE: Attorney General Eric Schneiderman

Related: Consent Judgment. The terms and conditions begin on p. 9, following the complaint. Note that it includes 20-year monitoring, as is pretty common in FTC enforcement actions for data security.

Related: FTC press release

Category: Business SectorOf NoteU.S.

Post navigation

← Nearly half of education-vendor websites tested had security problems, audit reveals
Yahoo Discloses 1 Billion User Accounts Were Hacked in 2013 →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.