After a breach exposed personally identifiable information (PII) of 36 million customers in 46 countries, the operators of the website Ashley Madison have agreed to pay $1.65 million to settle federal and state charges alleging that it both deceived users and did not adequately protect their PII, according to a release from the Federal Trade Commission (FTC).
The fine is a fraction of the $17.5 million the site was originally ordered to pay. The company said it could not afford the original penalty.
In addition to the fine, the settlement tasks Ruby Corp., operators of the site, to implement a "comprehensive data-security program" which must include third-party evaluations. The Toronto-based company changed its name from Avid Life Media following the breach. It now promotes Ashley Madison as an online-dating site, rather than an adultery site.
The FTC complaint cited Ashley Madison for luring customers – including 19 million Americans – with phony profiles of women intended to convert them to paying customers. It further charged that the site assured users that their data was protected, when, in fact, security was lax.
"The defendants had no written information security policy, no reasonable access controls, inadequate security training of employees, no knowledge of whether third-party service providers were using reasonable security measures, and no measures to monitor the effectiveness of their system security," the FTC charges stated.
The site also misrepresented that it took "reasonable" steps to ensure security and failed to delete, as promised, info on customers using the site's premium "Full Delete" option, the FTC charged.
Nearly 10 gigabytes of data stolen from the site – including email addresses, names and details of sexual preferences and fantasies – appeared online.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” Edith Ramirez, chairwoman of the FTC, said in the statement on Thursday. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users' personal information from criminal hackers going forward.”
Noel Biderman, the company's former CEO, was forced to step down following the breach, and investigations commenced by the Federal Bureau of Investigation, the U.S. Department of Homeland Security and the Royal Canadian Mounted Police.
The FTC worked with a coalition of 13 states and the District of Columbia to arrive at the settlement. The proposed federal court order imposed an $8.75 million judgment, which will be partially suspended upon payment of $828,500 to the FTC. An additional $828,500 will be paid to the 13 states and the District of Columbia, the FTC stated.