The 2015 Ashley Madison data breach that exposed the credentials of more than 37 million would-be adulterers has resulted in fines of $17.5 million being issued to Ruby Corp., the organization that owns Ashley Madison. The fines were announced this week by both the Federal Trade Commission and the New York attorney general.
The fines were issued due to poor security practices which contributed to the cyberattack, but also for misleading customers about the security protections that had been put in place. The site also created fake female profiles to attract more customers.
The 2015 Ashley Madison data breach exposed customers’ names, addresses, credit card details, and user information such as their sexual preferences. The breach resulted in many customers coming to harm, either financially, or by exposing their sexual activities and desire to have an affair. Some members have reportedly committed suicide as a result of their information being stolen.
The investigation into the 2015 Ashley Madison data breach revealed Ruby Corp failed to implement multi-factor authentication, did not have documented security policies and practices, and did not provide its staff with appropriate training. Yet, even with poor protections in place, the site advertised that it had won awards for data security, which were fabricated. This gave the impression that the site was more secure than it really was.
Investigators also determined that the offer made to customers to fully delete their information for $19 was misleading. Not all of the data were deleted, some information on members remained on the site, and data were kept in case of credit disputes. Data were kept for more than a year after a full delete in some cases. Partial photographs of former female members were also retained and used for fake female profiles which were used to engage users and encourage them to sign up for paid services on the site.
Ruby Corp has agreed to pay $8.75 million to the Federal Trade Commission and a further $8.75 million to states that also filed complaints following the 2015 Ashley Madison data breach. The $8.75 million will be shared equally between Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, North Dakota, Nebraska, New York, Oregon, Rhode Island, Tennessee, Vermont and the District of Columbia. However, Ruby Corp will only pay $1.6 million since the company is experiencing financial difficulty and is strapped for assets. The remainder of the settlement has been suspended.
In addition to the fines, Ashley Madison must stop creating fake profiles and engaging in other deceptive practices. Security must also be improved to ensure members’ details are better protected. Ruby Corp will also have its data security measures overseen by the FTC for 20 years
While Ruby Corp., has agreed to the settlements, the FTC accusations were neither denied nor admitted. According to Ruby Corp CEO Rob Segal, “Today’s settlement closes an important chapter on the company’s past and reinforces our commitment to operating with integrity and to building a new future for our members, our team and our company.”