The famously hacked online affairs site AshleyMadison.com has settled with the Federal Trade Commission and state attorneys general over allegations it deceived consumers and failed to protect 36 million accounts and their profile information.
The FTC said 19 million of those customers were in the U.S.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC chairwoman Edith Ramirez in a statement. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”
Following the breach, some of that information was used to try and extort money out of various targets.
As to that security, the FTC said the defendants "had no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security."
The FTC says the settlement "requires the defendants to implement a comprehensive data-security program, including third-party assessments" and pay $1.6 million. The original judgment was $17.5 million, FTC Chair Edith Ramirez told B&C/Multichannel News on a press call, but with most of it suspended due to inability to pay.
She also pointed out that if the FTC finds the companies misrepresented their ability to pay, an "avalanche clause" applies that would require them to have to pay that full amount immediately.
According to the Maryland attorney general's office, $1,657,000 will be split between the states and the Federal Trade Commission, but there is an additional $17.5 million payment that was suspended. That judgment was based on disgorgement (recovering money paid for deleting a profile that was not fully deleted) not damages related to possible reputational harm from being exposed as a member of the site, said Ramirez.
According to the Maryland AG, the complaint alleged that the Toronto-based website "had inadequate security measures in place to protect consumers’ personal information and had misrepresented the strength of its security. The complaint also alleged that in the wake of the security breach it was also discovered that the website had sold users a 'Full Delete' option to erase their personal information, but instead retained certain user information that the company had been paid to delete. Further, the complaint alleged that the website had created thousands of fake user profiles designed to trick consumers into buying their services."