MarketingRegulationSecurity

Ashley Madison Parent Company Slapped With £1.3m Fine Over Data Breach

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

The adultery site’s parent company is to pay the FTC $1.6m for deceptive marketing practices and the lack of basic security measures

The parent company of adultery-oriented dating website Ashley Madison is to pay US regulators $1.6 million (£1.3m) following a hack last year that led to the public exposure of its users’ personal details.

The US’ Federal Trade Commission (FTC) launched a probe into the incident in July of this year and found the company had engaged in deceptive marketing practices, including the use of tens of thousands of false female profiles, and hadn’t taken basic measures to ensure data security.

data breach

Exortion

The agency reached a $17.5 million (around £14m) settlement with Ruby Corporation, the Toronto-based holding company formerly called Avid Life Media, but said it would only demand the smaller sum due to Ruby’s inability to pay.

A clause in the settlement maintains that Ruby will be forced to pay the full amount if it later comes to light the company can do so, the FTC said at a press conference.

The majority of Ruby’s clients are in the US, and the regulator said in its complaint the hack had left these people vulnerable to “extortion, fraud, disclosure of sensitive, personal information, and other harm”.

It noted the “creation of websites where people could determine whether someone was a member of AshleyMadison.com, thereby disclosing consumers’ highly sensitive, private information”, adding that consumers “could not reasonably avoid these harms”.

Ruby had accumulated 15.7 million male user profiles and 3.1 million female profiles.

The probe found that while the company charged users $19 (£15) for a “full delete” option that would supposedly eliminate all traces of their interactions, in some cases it retained that data for up to 12 months or failed to ever delete it.

Lax security

The company did notify consumers it would retain some information for six to 12 months – but only after they had paid the removal fee.

Other deceptive practices included the use of large numbers of automated female profiles intended to spur user activity and a claim the company had received a “Trusted Security Award”.

In fact, “Defendants never received a ‘Trusted Security Award’ from any organisation,” the FTC found.

The probe uncovered lax security practices around employee and contractor password management and inadequate network monitoring practices – as a result of which the company was unaware it had been hacked until the attackers made their data public in July 2015.

Ruby could have taken inexpensive measures that would have prevented or mitigated the data breach, the FTC said.

Due to the small size of the settlement the FTC said it doesn’t plan to create a redress programme for users who paid the $19 deletion fee.

Do you know all about security in 2016? Try our quiz!