A hefty fine is just part of penalties for the Ashley Madison adultery site

A hefty judgement against Ashley Madison, the dating site for adulterers, is just the tip of the iceberg when it comes to penalties the company must pay as a result of the theft and public posting of its customers' data when the company was hacked last year.

Ruby Corp., the parent company of Ashley Madison agreed to pay $8.75 million fine to the Federal Trade Commission and another $8.75 million to 13 states that also filed complaints. It will wind up paying just $1.6 million because it is strapped for assets.

+More on Network World: 20 years ago: Hot sci/tech images from 1996+

Beyond that, Ruby Corp. has agreed to 20 years' worth of the Federal Trade Commission overseeing its network security, adding another layer of complexity and scrutiny to the already demanding task of securing customer data held by online sites.

The case is a cautionary tale for online vendors who don’t take appropriate steps to secure the personal information of their customers. Failure to do so can be costly and long-lasting in addition to being damaging to the reputation of the affected company.

"All companies have a responsibility to protect the privacy and personal information of consumers," says New York State Attorney General Eric T. Schneiderman in a statement about the settlement.“This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated."

While the company doesn’t admit or deny any wrongdoing, it will pay the cash and follow prescribed actions to establish and maintain a secure network that protects its customers’ data, and to have that action verified periodically by third-party security auditors.

Information about 36 million Ashley Madison customers was stolen and the FTC says Ashley Madison failed in some cases to delete customer data from its system despite charging a fee for doing so, the FTC complaint says.

The complaint says the company engaged in deceptive practices by promising its site and transactions were secure and that it made up a “trusted security award” it claimed had been awarded to the site.

Ashley Madison agreed to a federal court order that requires it to:

  • Install a director if IS
  • Perform a risk assessment to protect customer data
  • Upgrade systems based on the assessments
  • Offer periodic assessment of controls put in place to safeguard against the risks
  • Conduct biennial third-party review of the security by a CISSP, CISA, holder of GIAC from SANS Institute or someone else who is deemed qualified by the FTC for 20 years
  • Require similar safeguards from their service providers

A separate segment of the order prohibits the company from misrepresenting how secure its sites are and how well it maintains customer privacy. It is also prohibited from making false claims about any security programs it participates in and any awards it receives.

The security steps the company must take are relatively vague. For example, the outside audits must certify that the security program “is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected…”

Still, given that a certified outsider must make that determination, it creates a significant and long-lasting burden.

The Ashley Madison breach came to light last August when a group that disapproved of the adulterous nature of the company’s services posted 9.7GB of data pertaining to its customers.

The data posted by a group calling itself The Impact Team included customer birthdates, marital status, answers to security questions, sexual preferences and some credit card numbers and billing addresses. It also included information about customers who had paid $19 to have their data fully deleted, according to the complaint.

IDG Insider


« Apple Support gets its own standalone iOS app


Microsoft Edge will give you the option to block Flash where you want »
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail