The operators of AshleyMadison.com, the hookup site for married people, have agreed to a settlement with federal and state regulators including a 20-year supervision order on their web security and a $1.6 million penalty, the Federal Trade Commission said Wednesday.
“The case that we’re announcing today against AshleyMadison.com aims to protect consumers,” said FTC Chairwoman Edith Ramirez on a conference call with reporters. The July 2015 Ashley Madison data breach, in which hackers dumped the personal data of 36 million worldwide users of the site “is one of the largest the FTC has ever addressed,” she said.
The dump by as-yet-unidentified hackers sent shockwaves across the country as millions of users were outed as seeking an adulterous affair.
“The information that was compromised included people’s names, their sexual preferences, email addresses and their security questions and answers,” said Ramirez.
She pushed back against criticism that the penalty represented a slap on the wrist, emphasizing the non-monetary aspects of the settlement, which she called “strong injunctive relief that provides consumers with meaningful protections going forward.” She also said the penalty was much larger but the agency had suspended about 90 percent of it because the company would have gone bankrupt otherwise.
“We want them to feel the pain, we don’t want them to profit from their unlawful conduct and at the same time we are not going to put somebody out of business,” she said.
“It’s a far lower number than frankly we would have liked,” she said of the penalty.
The FTC complaint highlights three practices the agency alleges were “deceptive and unfair” and therefore prosecutable under the agency’s authorities in the FTC Act, according to Ramirez:
- “The company’s failure to take reasonable steps to ensure that Ashley Madison.com was secure.”
- “The practice of generating profiles of fake women in order to lure customers into paid membership.”
- “The failure to delete customers’ profiles after promising consumers that they would delete their profile and charging them $19 to do so.”
The company promised that customers who paid the $19 would have all their data removed, including their profile; the messages they sent and received; the site usage history; personally identifiable information; and photographs.
Despite earning more than $2.3 million from the $19 “Full Delete” charge, the company “In many instances … retained personal information for up to 12 months,” the complaint states.
This mattered, as Ramirez pointed out, because many of those who had paid for that service nonetheless found their details dumped on the web in July 2015.
The complaint says the company repeatedly misrepresented its security, prominently displaying on the homepage an icon of a “Trusted Security Award,” an icon indicating that the website was an “SSL Secure Site,” and an image indicating that the website offered “100% Discreet Service.” In others places on the site, it was described as “100 percent secure,” “risk free,” and “completely anonymous.
But, according to the complaint, the company had no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security.
Hackers got into the company’s networks several times between November 2014 and June 2015, but weren’t spotted due to lax data-security practices, the FTC charged.
The settlement, which covers the FTC action and a separate case brought by 13 states and the District of Columbia, included a total penalty of $17.6 million. But the vast majority of that was suspended owing to the company’s “inability to pay,” said Ramirez.
“Our analysis about ability to pay is based on detailed financial data they submit,” she said, adding that if it subsequently turned out the company had misrepresented its financial state the agency could act to obtain the full penalty.
She urged reporters on the call — several of whom asked about the size of the penalty given that the company revenues in the U.S. alone were $47 million last year — to “focus on the strong injunctive relief” elements of the settlement.
“We don’t typically get monetary relief in our data security cases,” she added.
The injunctive elements of the settlement include a 20-year supervision order during which the company has to adopt gold-standard security practices and have them assessed every two years by an independent third-party assessor and a prohibition on fake profiles.