One Less (Regulator) Affair for AshleyMadison.com: Site Operators Agree to Settle U.S. Charges Stemming from 2015 Breach
Remember the 2015 AshleyMadison.com data breach, where hackers gained access to the personal information of about 36 million users from over 46 countries, and threatened and carried through on their promise to release the information to the public? This highly publicized incident has resulted in a $1.6 million settlement between operators of the dating website and the FTC, 13 states, and the District of Columbia, resolving allegations concerning inadequate security and deceptive practices connected to the website. The FTC also received investigative assistance from the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner, both of which had concluded a joint investigation of the dating website in August. The FTC’s complaint charges AshleyMadison.com with:
- Creating Fake Profiles to Encourage Consumers to Upgrade Services. AshleyMadison.com staff created 24,414 female “engager profiles,” or fake profiles, through which staff would communicate with AshleyMadison.com users. According to the FTC, AshleyMadison.com staff used these engager profiles to entice users to upgrade to a full membership.
- Failing to Remove Consumer Profiles Despite Representations to Consumers That Profiles Would be Deleted. AshleyMadison.com advertised a service option to users that enabled them to delete their “digital trail.” The company charged consumers for this service, but did not disclose until after the purchase was consummated that some information would be retained for legal and financial reasons. Moreover, the company in some instances altogether failed to remove or delete consumer profiles from internal systems.
- Failing to Provide Reasonable Security. AshleyMadison.com did not take reasonable steps to prevent unauthorized access to their systems. According to the FTC, the company did not:
- Maintain a written information security policy
- Implement reasonable access controls
- Provide adequate training for personnel with data security responsibilities
- Have adequate measures in place to vet third-party service provider security measures
- Use readily available security measures to monitor systems for data security events and verify the overall effectiveness of their security systems