In 2015, a major data breach at AshleyMadison.com — the dating site targeted at cheaters — exposed information for some 36 million accounts. The company has now entered into a deal that settles federal and state charges that Ashley Madison: misled users about data security and failed to protect user information; charged users to delete profiles (but didn’t); and used fake profiles to lure in customers. While the settlement has a price tag of $8.75 million, Ashley Madison will actually pay significantly less than that.
The Federal Trade Commission’s complaint [PDF] against Ashley Madison’s Toronto-based corporate parent includes an array of allegations, some of them directly connected to the summer 2015 data breach, and others arising from the revelations that resulted from that breach.
For example, after the massive hack — affecting users from 46 different countries — was made public, it became apparent that some of the female profiles on Ashley Madison were in fact so-called “fembots” — the FTC refers to them as “engager profiles” — fakes “created by [Ashley Madison] staff who communicate with consumers in the same way that consumers would communicate with each other — as a way to engage or attract additional consumers to AshleyMadison.com.”
According to the FTC, all but three of the 28,417 engager profiles on Ashley Madison in 2014 were female.
The complaint alleges that Ashley Madison reused photos and other information from dormant profiles on the site to create these bogus users.
“Because these engager profiles contained the same type of information as someone who was actually using the website, there was no way for a consumer to determine whether an engager profile was fake or real,” explains the FTC. “To consumers using AshleyMadison.com, the communications generated by engager profiles were indistinguishable from communications generated by actual members.”
The 2015 hack also revealed that Ashley Madison was not being honest about the premium “Full Delete” service it sold to outgoing users for $19.
The promise of Full Delete was the 100% removal of a user’s “digital trail” — deleting profiles, information, and photos, from the site and from search; deleting all communications sent and received, along with all non-message interactions (i.e. winks and virtual gifts).
The FTC says that Ashley Madison made nearly $2.4 million from Full Delete over the course of three years, but the site was not always giving users what they paid for.
“In many instances, Defendants removed consumer profiles from AshleyMadison.com within 48 hours of receiving a Full Delete request, but retained personal information for up to 12 months,” explains the complaint. “In other instances, Defendants failed to remove consumer profiles from their internal systems.” [note: bolded for emphasis]
Before the 2015 breach, Ashley Madison declared itself a very secure site, touting a “Trusted Security Award,” offering “100% Discreet Service,” and boasting elsewhere that the site was “100% secure,” “risk free,” and “completely anonymous.”
The FTC claims that, in reality, not only was that “Trusted Service Award” nonexistent, but Ashley Madison was failing at securing data on multiple fronts:
• By not regularly monitoring unsuccessful login attempts;
• By failing to secure remote access;
• By not revoking passwords for ex-employees of Ashley Madison service providers;
• By failing to restrict access to systems based on employees’ job functions;
• By failing to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on the site’s network; and
• By allowing employees to reuse passwords to access multiple servers and services.
In the months leading up to the breach, the Ashley Madison internal network had been remotely accessed by intruders multiple times, notes the FTC. Additionally, hackers had used the site’s credentials to make successful unauthorized logins to Ashley Madison’s payment processor’s server.
“Because of Defendants’ failure to monitor their system logs at discrete intervals, Defendants were unaware that there were unauthorized individuals who had access to employee and service provider credentials,” writes the FTC. “It was not until after the data breach that Defendants became aware of these unauthorized logins.”
According to the complaint, the site’s misleading use of fake profiles, failure to disclose the truth about Full Delete services, and touting of security standards that did not exist are all violations of the FTC Act’s prohibition against unfair and deceptive business practices.
To settle these charges, along with allegations brought by the attorneys general of 13 states — Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont — Ashley Madison’s parent company has agreed to a settlement deal worth $8.75 million.
However, claiming financial hardship, the company will only pay around $1.65 million of that — $825,000 to the FTC, and $825,500 to the 13 states — or around $.04 per exposed account.
If it’s found that the defendants are misrepresenting their financial status, the company could be on the hook for up to the full amount of the settlement.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC Chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”