Ashley Madison's parent company, Ruby Corp., will be forced to pay a large settlement for failing to adequately protects its customers' data. Ruby Corp. has been charged US$1.6 million (£1.2 million) by the US Federal Trade Commission (FTC) after investigators found that not only had the company failed to adequately protect its customers' data but employed a number of tricks to obscure that fact.
The New York Attorney General's office said that Ashley Madison's data security practices were ‘lax'. The company did not maintain documented security policies, use multi-factor authentication or train staff to adequate levels.
Eric Schneiderman, the New York Attorney General said in a statement that, “this settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated.”
More than that, the company actively deceived users about its security practices among other things. Ashley Madison, given the nature of its activity, billed itself as a “100 percent discreet service” and “100% percent secure”, even giving itself something called a “trusted security award” which was apparently not awarded by any certificator.
Ashley Madison apparently created fake profiles to coax more male users onto the site, even using the photos of real customers whose accounts were dormant. If users wanted to delete their profiles, Ashley Madison offered a ‘full delete' option for a small sum. The company, however, kept information on customers for up to a year even if they had opted to have their data deleted. The information of those ‘full delete' customers showed up in the 2015 breach.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users' personal information from criminal hackers going forward.”
Ruby Corp. neither admits or denies the allegations but has agreed not only to pay the settlement but to put in a thorough security programme and refrain from the deceptive practices in the future. The FTC said that the Canadian and Australian regulators provided assistance to the investigation and had reached settlements of their own with the company.
The sum of US$1.6 million will be divided among the FTC and the Attorneys-General of the 13 states involved in the investigation. The original figure was supposed to be much higher.
The New York Attorney General's Office, which was involved in the investigation said that the original settlement figure was US$17.5 million (£14 million) but that Ruby Corp's financial situation meant that the company was not able to pay that sum.
The breach, which was carried out in July 2015 and released only a month later caught as many as 36 million with their pants down. International media swarmed to the story given the release of otherwise private information and the salacious nature of Ashley Madison, now famous for its tagline, "Life is short. Have an affair”.
The fallout from the hack often serves as a worst case scenario for those concerned with online privacy. Not only did its members have their infidelities publicly broadcast, but many were apparently subject to extortion and even rumours of suicide.
Ruby's new CEO, Rob Segal, released a statement saying that the settlement,”closes an important chapter on the company's past and reinforces our commitment to operating with integrity and to building a new future for our members, our team and our company”.
President James Millership added that the company is turning a new leaf after last year's breach: “Today's news reflects that the company has proactively made important, transformative changes since last year — and is committed to open, transparent communication.”
The Toronto-based Ruby Corp, formerly Avid Life, Media bills itself as “the global leader in open minded dating” and runs a number of other services of a similar flavour to Ashley Madison including CougarLife.com and EstablishedMen.com.
Amit Ashbel, cyber-security evangelist at Checkmarx told SC Media UK, “on a day that Yahoo admits that one billion account credentials have been stolen. The fine that Ashley Madison got seems like peanuts.”
“I think it's important to enforce cyber-security in one way or another. A fine seems like the most obvious option, just like any business is fined for not fulfilling regulations or laws. That said, a tech organisation should always have their user's data security as top priority and make sure they take all necessary actions to avoid such events in the future.”
Brian Chappell, director of technical services EMEAI & APAC at BeyondTrust told SC, “You'd like to think that every organisation would take all appropriate action to ensure said data is safe but good security isn't free and spend is balanced against risk.” Chappell added, “high profile cases like this one should make boards sit up and listen, the impact of playing fast and loose with user data is getting bigger as Ruby Corp. are discovering. They now have 17.5 million reasons to do a better job moving forward.”