Affair site Ashley Madison reaches $1.6M settlement
The owner of affair and dating website Ashley Madison has reached a more than $1.6 million settlements of findings it used lax online security, misled users and created fake female profiles to lure male customers.
Announced Wednesday by the Federal Trade Commission, 13 states and the District of Columbia, the settlement stems from an investigation of the July 2015 computer hacking of the website once known for the slogan: "Life is short. Have an affair."
The breach enabled cyber thieves to steal customer names, addresses, credit card information and sexual preferences for more than 36 million customers — and then expose that data online for all to see.
"The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users' personal information from criminal hackers," said FTC Chairwoman Edith Ramirez. She said the data breach was among the largest ever investigated by the regulator.
"This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated," said New York Attorney General Eric Schneiderman.
Toronto-based ruby Corp., the recently rebranded incarnation of the former Avid Life Media, characterized the agreement as pivotal for customers and Ashley Madison. The company neither admitted nor denied allegations made by federal and state investigators.
"Today's settlement closes an important chapter on the company's past and reinforces our commitment to operating with integrity and to building a new future for our members, our team and our company," said ruby CEO Rob Segal.
Investigators found that the company failed to maintain documented security policies or practices. The firm also neglected to use multi-factor authentication to secure remote access by customers and failed to provide adequate formal training for staffers and management.
The Ashley Madison site featured security representations, including "Trusted Security Award, which investigators found appeared to have been fabricated.
Owner of cheaters site Ashley Madison hacked
The website offered a $19 "full delete" option to customers who wished to permanently remove all traces of their usage. However, investigators found that the owner-company kept some information for those customers for a year or longer. Some of the would-be former clients were among those whose data was still available to web users.
Additionally, the company created fake female "engager profiles" designed to entice male customers to shift from Ashley Madison's free services and purchase credits to communicate with other clients. Some of the profiles used portions of photographs submitted by former female customers who'd had no recent account activity, investigators found.
Ashley Madison's new slogan: 'Find your moment,' not 'Have an affair'
The settlement requires the company to cease usage of some deceptive practices, stop creating fake profiles and implement stronger data security.
A separate compliance agreement on privacy safeguards, record-keeping and other issues with Canadian and Australian authorities was announced with ruby Corp. in August.
The settlement includes proposed federal court orders to impose $17.5 million in judgments against the company. Half of that amount, $8.75 million, would be suspended, based on the company's financial condition, if the firm pays $828,500 to the FTC and an identical amount to be shared by the states. The full judgment could be imposed if investigators determine the company misstated its finances.
The company's payment will be shared by the FTC, Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, North Dakota, Nebraska, New York, Oregon, Rhode Island, Tennessee, Vermont and the District of Columbia.
Contributing: Nathan Bomey
Follow USA TODAY reporter Kevin McCoy on Twitter: @kmccoynyc