A.G. Schneiderman Announces $17.5 Million Settlement With Owner Of Ashleymadison.com In Joint Multi-State And FTC Agreement
Settlement Follows Investigation Finding That Adult Dating Website Maintained Lax Security Practices, Misled Consumers About Its Data Security, And Created Fake Female Profiles To Entice Male Users
In Addition to Penalties, Settlement Requires The Website To Implement Stronger Data Security Program And Cease Deceptive Practices
News Release from New York State Attorney General December 14, 2016
NEW YORK—Attorney General Eric T. Schneiderman joined twelve other states, the District of Columbia, and the Federal Trade Commission Wednesday in announcing a $17.5 million settlement with ruby Corp., which owns the dating website AshleyMadison.com. The settlement follows an investigation into the July 2015 hack of the website that resulted in the online publication of user information for millions of AshleyMadison.com members, including photographs, usernames, email addresses, communications, and other profile information.
The settlement includes an immediate payment of $1,657,000 divided amongst the states and the Federal Trade Commission, of which New York will receive $81,330.94. The remainder of the $17.5 million payment is suspended based on ruby Corp.’s inability to pay. Up to 652,627 New York residents were members of Ashley Madison at the time of the security breach.
(According to the parallel suit filed Dec 14—and settled the same day--by the Hawaii Office of Consumer Protection, 33,362 consumers signed up for AshleyMadison in Hawaii and 370 later paid for the bogus ‘Full Delete’ option.)
“This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated,” said Attorney General Schneiderman. “All companies have a responsibility to protect the privacy and personal information of consumers, and my office will continue to work with other state and federal authorities to protect consumers from online threats.”
The investigation found lax data security practices including a failure to (i) maintain documented information security policies or practices; (ii) utilize multi-factor authentication to secure remote access; and (iii) formally and adequately train company staff and management.
The Ashley Madison website also made several misrepresentations regarding its data security, including a “Trusted Security Award,” which appears to have been fabricated and had not been awarded by any certification entity; use of an emblem indicating “Certified Zero Risk TM,” which had not been awarded by any certification entity; and representations that it was a “100% Discreet Service” and “100% Secure.”
The Ashley Madison website also offered a “Full Delete” option to consumers. The “Full Delete” option was advertised to consumers as the ability to “remove all traces of your usage for only $19.00” and it was the only option for consumers who wanted to permanently delete their account profiles. However, the website retained certain information of consumers who purchased the “Full Delete” option for up to twelve months in order to address requests for chargebacks. Additionally, the website did not delete all consumer information from its system, even after twelve months. In particular, the company failed to delete users’ photographs, and in some instances chat communications, nicknames, and sexual preferences. Many users whose information was disclosed in the July 2015 security breach had purchased the “Full Delete,” in some cases more than twelve months prior to the security breach. As many as 7,989 New York residents had purchased the “Full Delete” option at the time of the breach.
Ashley Madison also created fake female profiles (which it called “engager profiles”) that they used to entice male users who were using Ashley Madison’s free services, to purchase credits to communicate with other members, including “members” with fake profiles. In some instances, it used portions of the profile photographs of actual users who had not had account activity within the previous year as the photographs in the fake profiles that it created, cropping or hiding users’ faces but not their bodies.
In addition to monetary penalties, ruby Corp. agreed to cease engaging in certain deceptive practices, to not create fake profiles, and to implement a stronger data security program. The multistate enforcement action consisted of Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, North Dakota, Nebraska, New York, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia.
New York was represented by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell, under the supervision of Bureau Chief Kathleen McGee. The Bureau of Internet and Technology is overseen by Executive Deputy Attorney General for Economic Justice Manisha M. Sheth.