“Life Is Short. Settle with the FTC” – The Cost of Ashley Madison’s 2015 Data Breach

ashley-madison-300x200On December 14, 2016, operators of online extramarital dating and social networking website came to an agreement with the Federal Trade Commission, and several States, to settle FTC and related state charges that the website deceived consumers and failed to protect 36 million users’ account and profile information. As we discussed immediately following the July 2015 breach (and in several later posts) the data of some 36 million accounts was posted online. It was reported by KrebsOnSecurity that the breach included the theft of user databases, financial records (including salary information), and other records from AshleyMadison, Cougar Life, and Established Men, three social networking web sites operated by the Toronto, Canada-based firm Avid Life Media, now known as Ruby Corp.

The FTC’s complaint against (a.k.a. Ruby Life Inc.) and its related/parent entities (e.g., Ruby Corp) sought permanent injunctive relief, restitution, the refund of monies paid, and disgorgement of ill-gotten monies in connection with AshleyMadison/Ruby’s marketing and sale of online dating services. The FTC’s complaint noted that as part of the service, AshleyMadison/Ruby collected and transmitted personal information, including:

16. … full name; username; gender; address, including zip codes; relationship status; date of birth; ethnicity; height; weight; email address; sexual preferences and desired encounters; desired activities; photographs; payment card numbers; hashed passwords; answers to security questions; and travel locations and dates. Defendants also collect and maintain consumers’ communications with each other, such as messages and chats.

AshleyMadison/Ruby’s use of chat-bot-based fake or “engager profiles” that lured users into upgrading/paying for full memberships was also addressed in the complaint. According to a report in Fortune Magazine, men who signed up for a free AshleyMadison account would be immediately contacted by a bot posing as an interested woman, but would have to buy credits from AshleyMadison to reply.

Gizmodo, among many other sites, has examined the allegations of fake female bots or “engager profiles” used to entice male users who were using Ashley Madison’s free services to convert to paid services: “Ashley Madison created more than 70,000 female bots to send male users millions of fake messages, hoping to create the illusion of a vast playland of available women.” The Gizmodo article concluded that “[w]hatever the total number of real, active female Ashley Madison users is, the company was clearly on a desperate quest to design legions of fake women to interact with the men on the site.”

In its complaint the FTC also described problems with AshleyMadison/Ruby’s “Full Delete” option, for which consumers paid $19 to remove their profiles from the website completely, and accused AshleyMadison/Ruby of misrepresentations regarding the terms and conditions for deleting profiles.

Delete-profile-230x300It is alleged that AshleyMadison in some instances failed to remove consumer profiles from their internal systems, even though the consumer had paid $19 for the “Full Delete” option.

According to information on the New York Attorney General’s website, AshleyMadison/Ruby (1) retained certain information about consumers who purchased the “Full Delete” option for up to twelve months in order to address requests for chargebacks, and in several cases (2) it did not delete all consumer information—including user photographs, chat communications, nicknames and sexual preferences—from its system even after twelve months.

The FTC also concluded that AshleyMadison/Ruby’s statements that the website was “100% secure,” “risk free” and “completely anonymous,” and advertisements describing as “secure,” “anonymous” and “risk free,” were misrepresentations regarding network security.

In its press release, the FTC reported that operators of the Toronto-based dating website agreed to settle FTC and state charges that they deceived consumers and failed to protect 36 million users’ account and profile information in relation to the July 2015 data breach. The settlement requires AshleyMadison/Ruby to implement a comprehensive data-security program, including third-party assessments. The settlement includes an immediate payment of $1,657,000 divided amongst the states and the Federal Trade Commission. The remainder of the $17.5 million payment is suspended based on AshleyMadison/Ruby’s inability to pay, according to a press release on the website for the New York State Attorney General.

The FTC worked with a coalition of the District of Columbia and thirteen states—Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee and Vermont—on the investigation and settlement. In addition, the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner provided assistance to the FTC’s investigation and reached their own settlements with AshleyMadison/Ruby. (Provisions in the U.S. SAFE WEB Act allowed the FTC to share information with its foreign counterparts, here Canada and Australia, to combat deceptive and unfair practices that cross national borders.) The FTC’s announcement of the settlement included comments from the government officials involved in the FTC’s investigation of and settlement with AshleyMadison/Ruby, which in turn provide insight into the state of user privacy concerns and cross-border collaboration on privacy issues:

  • Vermont Attorney General William H. Sorrell – “Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website.”
  • Commissioner Daniel Therrien of the Office of the Privacy Commissioner of Canada – “In the digital age, privacy issues can impact millions of people around the world. It’s imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live.”
  • Australian Privacy Commissioner Timothy Pilgrim – Cross-border cooperation and enforcement is the future for privacy regulation in the global consumer age, and this cooperative approach provides an excellent model for enforcement of consumer privacy rights.

The 2016 AshleyMadison/Ruby data breach case is one of the largest that the FTC has investigated to date, and like many such events, there seems to have been a number of warning signs prior to the breach, if only the company had recognized them. In its announcement, the FTC noted that before the 2015 data theft in question, “Intruders accessed the [AshleyMadison/Ruby’s] networks several times between November 2014 and June 2015, but due to their lax data-security practices, the defendants did not discover the intrusions.”

There are several lessons from this outcome.

First, government agencies are actively prosecuting companies with lax data security practices. In its announcement about the settlement, New York State Attorney General Schneiderman stated that “All companies have a responsibility to protect the privacy and personal information of consumers, and my office will continue to work with other state and federal authorities to protect consumers from online threats,” and that “[t]his settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated.” In this case, a settlement of $17 million was negotiated, and with this settlement it is clear that the real cost of data breaches are increasing, and will continue to increase.

Second, government agencies involved in consumer protection and data security are working together across borders to ensure the privacy rights of consumers. Meeting the demands of these agencies requires planning and a sustained compliance effort for businesses that retain user data on their systems.

Third, data theft is often not discovered until long after the theft has occurred. As the FTC explained, lax data security practices caused AshleyMadison/Ruby to miss that it had already been compromised in 2014 and 2015. Regular, routine cybersecurity audits preformed internally and by third-parties are critical to be able to timely detect and react to data theft.