Ashley Madison operators deal avoids US$17.6 million fine for data breach

The operators of the Ashley Madison and related dating sites that suffered a devastating hack in 2015 have escaped paying a multi-million dollar fine.

Instead Ruby Corp. , Ruby Life Ltd. and ADL Media have agreed to pay only have to pay US$1.6 million to the U.S. government and a number of states to settle charges they deceived consumers and failed to protect 36 million users’ account and profile information in the data breach. The full settlement is US$17.5 million, according to the New York State attorney general, but Ruby is being allowed to write a cheque for the the lesser amount due to an inability to pay.

But, according to the settlement, if the three companies are found to have misrepresented their financial shape they will have to pay the full amount to Washington and the states.

The settlement was outlined Wednesday by the U.S. Federal Trade Commission (FTC), which includes requiring the operating companies to implement a comprehensive data-security program, including third-party assessments.

“This case represents one of the largest data breaches that the FTC has investigated to date,” said FTC chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”

In addition to criticizing Ruby Corp. (formerly Avid Life Media) for poor data security Ramirez also hammered the company for creating fake profiles of women looking for relationships to lure subscribers.

The FTC worked with Canada’s federal privacy commissioner in its investigation. In August that office, along with the office of the privacy commissioner of Australia, issued a report, which concluded poor administrator identity and access management controls were at the heart of  the breach, attributed to a group calling itself “The Impact Team” The group threatened to release all of the website’s user information unless Ashley Madison shut down. The company refused. Soon after subscriber information was released.

According to the FTC complaint the sites operators assured users their personal information such as date of birth, relationship status and sexual preferences was private and securely protected. But the company had “no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security.”

Intruders accessed the companies’ networks several times between November 2014 and June 2015, the FTC complaint says, alleging that due to lax data-security practices, the intrusions weren’t discovered.

In  a blog on the FTC Web site, Lisa Weintraub Schifferle, a lawyer with the commission’s bureau of consumer protection, concludes with this: “So, what’s the lesson learned from the Ashley Madison case? Businesses must keep their promises. And if you collect sensitive personal information, you must protect it.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now