Ashley Madison is widely known for offering a dating app with the slogan “Life is short. Have an affair.” What was not widely known was that some user profiles were fake and the company’s insufficient security resulted in a data breach which exposed sensitive information of 36 million users. As a result, Ashley Madison has settled charges brought by the FTC, the Office of the Privacy Commissioner of Canada, the Office of the Australian Information Commissioner, 13 states, and the District of Columbia.
Ashely Madison promised its service was “100% anonymous and secure” and “100% discreet” and that there were “thousands of women” in your city. According to the FTC, however, 16 million of Ashley Madison’s 19 million users were men and company employees actually created thousands of fake profile bots to attract and engage users. In addition, the settlement alleges that despite its security promises, Ashely Madison failed to implement a number of reasonable security measures including: having a written organizational information security policy; adopting access controls such as monitoring login attempts, providing secure remote access, conducting password revocation, and limiting employee access to personal data; using password encryption and creation policies; and conducting employee security training, service provider due diligence, and system monitoring for data security events and effectiveness of protective measures. As a result, hackers were able to breach Ashley Madison’s system and eventually publish 36 million Ashely Madison users’ information online. This information included highly sensitive information such as email, relationship status, sexual preferences, billing addresses, credit card numbers, security questions and answers, and hashed passwords. In some cases, the information of individuals who paid Ashely Madison for a “full delete” of their profiles was also exposed. Once published, users’ information could be searched to identify them by email, address, or credit card numbers.
In its settlement with the FTC, Ashley Madison has agreed it will not mislead consumers about its security practices, the number of users or authenticity of profiles, the terms for deleting profiles, or the extent to which the company has received or adheres to third party seal programs. The company must also undergo biennial third party security assessments and pay $8.75 million dollars partially suspended, due to the company’s inability to pay.
This case demonstrates the FTC’s continued commitment to bringing enforcement actions, including requiring monetary penalties and security audits against companies that fail to implement reasonable security or mislead consumers about their services. See also Aura Labs, in which the FTC alleged that the company misled consumers about the app’s ability to read blood pressure as well as a traditional blood pressure cuff and posted a review that appeared to be independent but was actually written by Aura’s CEO.
