(December 15, 2016) The website designed to help adults have discrete affairs agreed to settle charges concerning its lack of adequate data security that exposed 36 million of its accounts to hackers in 2015.
AshleyMadison.com and its operating companies settled charges that they deceived consumers by claiming their data was secure and, that if they paid an additional fee, the data would be deleted. The charges were brought by the Federal Trade Commission and 13 states. The site agreed to improve its security and pay a total of $1.6 million.
The website is an online dating site for married individuals or people in committed relationships interested in having affairs with other adults, the FTA noted in its complaint. Consumers enter their dating profiles and can look up others who also have entered their profiles. The website collected and maintained users’ full names, usernames, gender, address, zip codes, relationship status, date of birth, ethnicity, height, weight, email address, sexual preferences, desired encounters, desired activities, photographs, payment card numbers, answers to security questions, and travel locations and dates.
AshleyMadison claimed its site was “100% secure.” It also displayed an icon of a “Trusted Security Award” and another icon that claimed the website was an “SSL Secure Site.” The FTC found the site never received a “Trusted Security Award” and its security measures were inadequate.
In August 2015, “a group identifying itself as ‘The Impact Team’ published 9.l7 gigabyes of information online pertaining to more than 36 million AshleyMadison.com customers and Defendants themselves. The information included the full name of paying customers, and usernames and email addresses of non-paying customers.” In addition, the hackers published profile information including, relationship status, gender, date of birth, sexual preferences, desired encounters, and desired activities, as well as security information and credit card information.
“Defendants’ failures to provide reasonable security for the sensitive, personal information they collected, transmitted, and stored, including sexual preferences and desired encounters, desired activities, email addresses, security questions and answers, real names, billing addresses, and credit card numbers, has caused or is likely to cause substantial injury to consumers in the form of extortion, fraud, disclosure of sensitive, personal information, and other harm,” the complaint charged.
Agreeing to the settlement were defendants ruby Corp, formerly known as Avid Life Media Inc., ruby Life Inc., and ADL Media Inc.
Federal Trade Commission v. ruby Corp, ruby Life Inc., and ADL Media Inc., D.C. District of Columbia No. 16 cv 2438.