Toronto-based ruby Corp, the owner of the privately-held Ashley Madison adultery site, has agreed to pay a $1.7 million penalty following the completion of an investigation by the Federal Trade Commission and a coalition of 13 states and the District of Columbia that shows the company deceived consumers and failed to protect 36 million users’ accounts and profile information in a massive data breach in July 2015.
Among the allegations, the FTC says the company made false statements about the status of site security, including displaying a “Trusted Security Award” logo when it had not received any such award. In addition, the company charged members $19 for its “Full Delete” option which supposedly deleted a member’s digital trail from AshleyMadison.com. Between December 2012 and December 2015, Ashley Madison received a total of $2,388,566 for this option, but not all data was deleted. In some cases, member profiles were removed within 48 hours, but in others, data was kept for up to 12 months.
The complaint reads:
“Defendants’ failures to provide reasonable security for the sensitive, personal information they collected, transmitted, and stored, including sexual preferences and desired encounters, desired activities, email addresses, security questions and answers, real names, billing addresses, and credit card numbers, has caused or is likely to cause substantial injury to consumers in the form of extortion, fraud, disclose of sensitive, personal information, and other harm.”
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC Chairwoman Edith Ramirez in a statement. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”
An $8.75 million judgment will be partially suspended upon payment of $828,500 to the FTC. If the FTC later finds out that Ruby Corp. misrepresented its financial situation, the full amount will be due immediately and an additional $828,500 will be paid to 13 states and the District of Columbia
The Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner have reached their own settlements with ruby Corp. According to the New York Times, because of the size of the settlement, Ashley Madison customers will not receive any financial compensation for damages caused by the data breach. Class-action lawsuits, however, are pending.
Talk about cautionary tales! It appears that Ashley Madison did just about everything wrong here, including everything from posting fake profiles to get members to upgrade their membership to dramatic lapses in data security and privacy protection. Based on the FTC’s complaint and subsequent findings, Ashley Madison was not transparent, nor was it trustworthy. It breached its members’ trust at almost every level, and it walked away with only $1.7 million in penalties after collecting millions from the very customers it inadvertently harmed.
The lesson for subscribers here is that we can never assume our data and our privacy are 100 percent safe. There are always risks when posting information of a personal or private nature online. The lesson for subscription companies is that bad business practices, deliberate deception, and lax security policies and procedures will eventually be found out. It is better to take the time and money to do things the right way, rather than to risk your reputation, your assets and your customers’ privacy for short-term financial gain.