Ashley Madison slammed with $1.6 million fine for devastating data breach

Adultery website was unfaithful to its users…

Ashley Madison slammed with $1.6 million fine for data breach

The Federal Trade Commission (FTC) has demanded Ashley Madison pay US $1.6 million for its failure to protect millions of users' data.

As we all recall, hackers stole a database containing the usernames, passwords, and other personal information for all 37 million users of the pro-affair adult dating website back in the summer of 2015.

The stolen data was ultimately published online, a leak which led more than one Ashley Madison user to commit suicide and extortionists to blackmail site members and their wives.

The FTC launched a probe into Ashley Madison in July 2016 to determine if the company had taken adequate steps to protect its users' data leading up to the breach. Among other things, it sought to determine if Ashley Madison honored those users who paid US $20 for a "Full Delete" of their information from the company's servers.

But as the FTC explains in its complaint, it turns out the company was unfaithful to its users:

"...Defendants have represented, expressly or by implication, directly or indirectly, that they would delete all of the information of consumers who chose the Full Delete option on AshleyMadison.com. ...In truth and in fact, ... even for those consumers who paid a $19 fee for the Full Delete option, Defendants retained the information from those profiles for up to 12 months. Therefore, the representation... is false or misleading."

No doubt the breach damaged Ashley Madison's reputation among its users. Fortunate for them, the company has owned up to at least some its missteps by agreeing to settle with the FTC.

FTC Chairwoman Edith Ramirez told Ars Technica that Ashley Madison has agreed to a settlement of US $17.9 million. The dating website doesn't currently have that amount, so it will pay a $1.6 million sum.

That still doesn't mean the FTC won't collect the remainder of the fine at a later date. As noted by Megan Geuss of Ars Technica:

"Ramirez noted that the commission looks at financial information provided by the company when the FTC is determining ability to pay. She added that the settlement was made with a so-called 'avalanche clause' stipulating that if it later becomes apparent that Ashley Madison’s operators can pay more, the company will be obligated to pay the full amount."

Those provisions aside, Ramirez said the FTC will not be creating a redress program for users who paid for the "Full Delete" option.

With that said, I can only hope everyone's learned a lesson from this experience. Ashley Madison should have a pretty clear idea now about what doesn't work when it comes to users' data security. Additionally, hopefully some of its former members might now consider going to couple's counseling before agreeing to hook up online.

The idea of having an affair might still appeal to them, but as the Ashley Madison hack demonstrates, doing so doesn't pay and can hurt A LOT of people in the process.

Further reading:

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

One Response

  1. Spam Sorenson

    December 16, 2016 at 1:49 pm #

    This is only the first of many in a new wave. The FTC winning a case of this nature sets a precedence for proof of wrongdoing and opens corporations to individual and class action litigation.

    In general, there is a trend to require more information from users than is necessary to conduct business. The collectors don't know what to do with it or how to use it. Worse still, there seem to be no official regulations on handling personal data collected, whether for dating or buying books on line.

    Most would find the computer generated recommendations for purchase a nice feature. Beware strangers offering lollypops to children, it is actually the precipice of the slippery slope to sell YOUR personal data.

    The EU adoption of the GDPR is a great place for the us and the world to begin providing a standard.

    Now if they would only penalize HRC and Podesta for their failure to protect data… that would make a real difference. Oh, well.

Leave a Reply