In 2015, adultery enabling website Ashley Madison suffered a data breach that exposed account details for more than 36 million users. The company behind the site, Toronto-based Ruby, settled for $1.6 million on Dec. 14, 2016. New York State Attorney General Eric Schneiderman announced the settlement.
“This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated,” Schneiderman said.
As reported in this story, “The FTC alleges the Ashley Madison site suffered from lax security, allowing hackers to break in several times between Nov. 2014 and June 2015. The service also retained personal information of users who had paid $19 to delete their data from the site, the FTC said.”
Investigators found that the site had created fake dating profiles to lure in customers. They also engaged in deceptive practices, claiming it had earned trusted security awards, which seems to have been fabricated.
The government had initially sought $17.5 million but lowered the amount because of the company’s inability to pay, according to this story. The money will be divided by 13 states involved in the suit and the Federal Trade Commission.
In addition to monetary penalties, the Ruby Corp. agreed to “cease engaging in certain deceptive practices, to not create fake profiles, and to implement a stronger data security program,” according to New York officials.
“The investigation found lax data security practices including a failure to (i) maintain documented information security policies or practices; (ii) utilize multi-factor authentication to secure remote access; and (iii) formally and adequately train company staff and management,” according to the press release from the New York Attorney General office.
Are you covered for identity theft?