The Federal Trade Commission (FTC) has demanded Ashley Madison pay US $1.6 million for its failure to protect millions of users’ data.
As we all recall, hackers stole a database containing the usernames, passwords, and other personal information for all 37 million users of the pro-affair adult dating website back in the summer of 2015.
The stolen data was ultimately published online, a leak which led more than one Ashley Madison user to commit suicide and extortionists to blackmail site members and their wives.
The FTC launched a probe into Ashley Madison in July 2016 to determine if the company had taken adequate steps to protect its users’ data leading up to the breach. Among other things, it sought to determine if Ashley Madison honored those users who paid US $20 for a “Full Delete” of their information from the company’s servers.
But as the FTC explains in its complaint, it turns out the company was unfaithful to its users:
“…Defendants have represented, expressly or by implication, directly or indirectly, that they would delete all of the information of consumers who chose the Full Delete option on AshleyMadison.com. …In truth and in fact, … even for those consumers who paid a $19 fee for the Full Delete option, Defendants retained the information from those profiles for up to 12 months. Therefore, the representation… is false or misleading.”
No doubt the breach damaged Ashley Madison’s reputation among its users. Fortunate for them, the company has owned up to at least some its missteps by agreeing to settle with the FTC.
FTC Chairwoman Edith Ramirez told Ars Technica that Ashley Madison has agreed to a settlement of US $17.9 million. The dating website doesn’t currently have that amount, so it will pay a $1.6 million sum.
That still doesn’t mean the FTC won’t collect the remainder of the fine at a later date. As noted by Megan Geuss of Ars Technica:
“Ramirez noted that the commission looks at financial information provided by the company when the FTC is determining ability to pay. She added that the settlement was made with a so-called ‘avalanche clause’ stipulating that if it later becomes apparent that Ashley Madison’s operators can pay more, the company will be obligated to pay the full amount.”
Those provisions aside, Ramirez said the FTC will not be creating a redress program for users who paid for the “Full Delete” option.
With that said, I can only hope everyone’s learned a lesson from this experience. Ashley Madison should have a pretty clear idea now about what doesn’t work when it comes to users’ data security. Additionally, hopefully some of its former members might now consider going to couple’s counseling before agreeing to hook up online.
The idea of having an affair might still appeal to them, but as the Ashley Madison hack demonstrates, doing so doesn’t pay and can hurt A LOT of people in the process.Further reading:
- Ashley Madison's leaked database available for download - read this first
- Ashley Madison blackmailers now sending threats via US postal system
- Here's what an Ashley Madison blackmail letter looks like
- Now it's Ashley Madison wives who are receiving blackmail letters
- 'Bring me the head of the AC/DC-loving Ashley Madison hacker'
- Suicide and Ashley Madison
- Ashley Madison: Betting site offers odds on who will be exposed
- 'Yes. I was a member of the Ashley Madison website. But I wasn’t there to cheat on anyone'
- Ashley Madison hack could expose 37 million 'cheating dirtbags'
- No Ashley Madison, you weren't burgled by terrorists
- Ashley Madison users warned of password risk
- Cracked Ashley Madison passwords consistent with years of poor security
- Post-hack, Ashley Madison offers members full and free account deletion
- Don't judge Ashley Madison users too quickly, their accounts may be fake
- Just who is joining the Ashley Madison website?
- Fembots land Ashley Madison in hot water with the FTC
- Ashley Madison's marketing department clearly didn't get the memo
- Ashley Madison: Further thoughts on its aftermath
- Ashley Madison hack claims another victim: Its CEO
- Ashley Madison slammed with $1.6 million fine for devastating data breach
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Ashley Madison slammed with $1.6 million fine for devastating data breach”
This is only the first of many in a new wave. The FTC winning a case of this nature sets a precedence for proof of wrongdoing and opens corporations to individual and class action litigation.
In general, there is a trend to require more information from users than is necessary to conduct business. The collectors don't know what to do with it or how to use it. Worse still, there seem to be no official regulations on handling personal data collected, whether for dating or buying books on line.
Most would find the computer generated recommendations for purchase a nice feature. Beware strangers offering lollypops to children, it is actually the precipice of the slippery slope to sell YOUR personal data.
The EU adoption of the GDPR is a great place for the us and the world to begin providing a standard.
Now if they would only penalize HRC and Podesta for their failure to protect data… that would make a real difference. Oh, well.