WASHINGTON (CN) – The owners of online affair liaison AshleyMadison.com will pay $1.6 million to settle federal and state charges filed in connection with a large-scale security breach that hit the site last year, the government said Wednesday.
In addition to the cost of the settlement, the companies will have to put in place a “comprehensive data-security program” and submit a compliance report next year showing improvements to their cybersecurity systems, according to a Federal Trade Commission press release announcing the settlement.
More than 36 million users of AshleyMadison.com, a dating site that caters to people in committed relationships looking to have an affair, saw their relationship statuses, sexual preferences and billing information posted online last year after a massive security breach.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” FTC Chairwoman Edith Ramirez said in a statement. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”
The FTC’s complaints with the site began well before the data breach. As late as 2014, the site was using fake accounts to lure new users, whom they then convinced to create paid accounts, according to the agency.
The site boasted that it had received a “trusted security award” and about other security procedures that in fact never existed, the FTC claimed in a complaint filed Wednesday along with the settlement. The federal complaint filed in Washington, D.C., asserts claims of misrepresentation, unfair security practices and consumer injury.
One such procedure was the promise that the company would erase all account information, including messages to other uses, for a $19 fee, according to the complaint.
But even when users paid this fee to scrub their accounts, the site would hold on to their personal information for up to a year and in some cases would never delete it at all, the FTC alleged.
“Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website,” Vermont Attorney General William H. Sorrell said in a statement. “I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner.”
Ruby Life Inc., the owner and operator of the website, also did not have a consistent information security policy and failed to take basic cybersecurity steps like taking away passwords from ex-employees, according to the complaint.
These factors combined to leave the personal information of millions of users vulnerable when hackers accessed employee passwords and logged into the website’s networks multiple times between 2014 and 2015, the FTC said.
In July 2015, a message appeared on the website’s customer service computers asking the company to shut down AshleyMadison.com and a related site, and claiming the site had been hacked.
Shortly after the message appeared, a group calling itself “The Impact Team” published the information of more than 36 million users, including some who had never paid to use the service.
The hack spawned an industry of sites that allowed people to search the massive list of users by simply plugging in an email. The FTC says this likely opened up users to “extortion, fraud, disclosure of sensitive, personal information and other harm.”
Thirteen states and the District of Columbia joined the FTC in pursuing the allegations against Ashley Madison, as well as agencies in Canada, where AshleyMadison.com is based.