The operators of the Toronto-based AshleyMadison.com dating site agreed Wednesday to settle Federal Trade Commission and state charges that they deceived consumers and failed to protect 36 million users’ account and profile information when a massive July 2015 data breach of their network occurred.
The site, known for marketing to people who are already in relationships but still want to date, has members from more than 46 countries.
The settlement requires the defendants to carry out a comprehensive data-security program. In addition, the operators will pay $1.6 million to settle FTC and state actions.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC Chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”
“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website,” said Vermont Attorney General William H. Sorrell.
Until August 2014, operators of the site lured customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members, according to the FTC lawsuit. Only users who pay to access the site can use all of its features, such as sending messages, chatting online, and sending virtual gifts.
The FTC lawsuit also said the defendants assured users their personal information such as date of birth, relationship status, and sexual preferences was private and securely protected. But, the FTC alleges the security of AshleyMadison.com was lax.
The defendants had no written information security policy, no reasonable access controls, inadequate security training of employees, and no measures to monitor the effectiveness of their system security, according to the lawsuit.
Intruders accessed the companies’ networks several times between November 2014 and June 2015, but due to its lax data-security practices, the defendants didn’t discover the intrusions, the agency alleges.
On July 12, 2015, the companies’ network experienced a major data breach that received significant media coverage. In August of 2015, the hackers published sensitive profile, account security, and billing information for more than 36 million AshleyMadison.com users. This included information that the defendants had retained on users who had paid $19 for a “Full Delete” service that was supposed to remove their data from the site network, according to the lawsuit.
Along with prohibiting misrepresentations and requiring a comprehensive security program, the proposed federal court order imposes an $8.75 million judgment that will be partially suspended on payment of $828,500 to the FTC. If the defendants are later found to have misrepresented their financial condition, the full amount will be due. An additional $828,500 will be paid to 13 states and the District of Columbia.
The states are Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont.
In addition, Canadian and Australian agencies helped with the FTC’s investigation and reached their own settlements with the company.
The defendants are ruby Corp., formerly known as Avid Life Media; ruby Life, also doing business as AshleyMadison.com, and formerly known as Avid Dating Life; and ADL Media.