Adultery Site Ashley Madison Fined Over Client Data Breachby
Parent Ruby Corp.’s settlement reduced for ‘inability to pay’
FTC, 13 states probed 2015 breach exposing 37 million users
Adultery website AshleyMadison.com’s owner agreed to pay a steeply discounted $1.65 million settlement to resolve state and federal probes into a 2015 hack that exposed personal data of 37 million users of the site, whose slogan was “Life is Short. Have an Affair.”
The company, which changed its name to Ruby Corp. from Avid Life Media Inc. after the breach, agreed to a $17.5 million penalty to resolve the multistate investigation, New York Attorney General Eric Schneiderman said in a statement. The amount was reduced by about 90 percent due to an "inability to pay," and the rest was suspended.
“Reckless disregard for data security will not be tolerated,” Schneiderman, who joined with 12 other U.S. states and the U.S. Federal Trade Commission to announce the settlement.
Hackers dumped almost 10 gigabytes of data on the Internet, providing information on previously anonymous users, including e-mail addresses, names and details of sexual preferences and fantasies, authorities said. As many as 652,627 New York residents were members of Ashley Madison at the time of the security breach.
Toronto-based Ruby, which now bills Ashley Madison simply as an online-dating site, has been cooperating with the FTC for more than a year, according to a statement by Rob Segal, the company’s chief executive officer since July.
“Today’s settlement closes an important chapter on the company’s past and reinforces our commitment to operating with integrity,” Segal said in the statement.
Company spokeswoman Debra Quinn declined to comment on why the company can’t afford to pay the full settlement, despite reporting more users than it had at the time of the breach.
The multistate probe uncovered lax data-security practices at the company, including a failure to maintain its information-security policies or to use so-called multi-factor authentication to secure remote access, according to the statement.
"This case represents one of the largest data breaches that the FTC has investigated," Chairwoman Edith Ramirez said in a statement.
The investigation revealed Ashley Madison failed to purge the user information of millions of customers who cancelled their memberships, even though many had paid for a premium service that promised their data wouldn’t be stored on the company’s servers, according to the attorney general’s statement.
Under the accord, the website operator also agreed to not use fake female profiles, which were often created to entice customers, according to the statement. The data breach revealed those profiles to be bogus and exposed the company’s use of customer photographs for phony profile pictures, it said.
"It used portions of the profile photographs of actual users who had not had account activity within the previous year as the photographs in the fake profiles that it created, cropping or hiding users’ faces, but not their bodies," Schneiderman said.
The hack led Noel Biderman, the company’s former CEO, to step down, and triggered a probe by the Federal Bureau of Investigation, the U.S. Department of Homeland Security and the Royal Canadian Mounted Police.