In a settlement with the Federal Trade Commission and 13 states, Ashley Madison agreed to pay $1.6 million dollars and implement a comprehensive data-security program, stemming from charges that the website deceived consumers and failed to protect 36 million users’ account and profile information in relation to a massive July 2015 data breach of their network.
In a blog post, the FTC addressed just how massive the data breach was – cover 3 football fields. FTC Commissioner Ramirez stressed that “[t]his case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide”
The FTC’s complaint alleges that AshleyMadison.com engaged in several practices that failed to provide reasonable data security, including:
- Failure to have a written information security policy
- Failure to implement reasonable access controls
- Failure to adequately train personnel about data security
- Failure to monitor third-party service providers
At the same time, however, Ashley Madison was falsely touting the fat that it had received a “Trusted Security Award” and selling a “Full Delete” service to members that failed to delete this information.
Ashley Madison billed itself as a discrete website where adults could hook up for affairs. The breach, however, only revealed the breadth of the sites deception. The FTC’s blog post explains:
The website lured you in with promises of “thousands of women” in your city (and mind you, about 16 million of the 19 million U.S. profiles were of men). Then, it used “engager profiles” – fake profiles created by staff who communicated as if they were actual female users. The company created these profiles by using information from existing members who had not had any account activity for a while. Many times, non-paying users upgraded to full memberships so they could send messages to what they believed were real users but were, in fact, fake profiles.
Vermont Attorney General William H. Sorrell stressed, “[c]reating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website.”
Other deceptions included: that they had received a “Trusted Security Award”; that they