We have previously reported on the Ashley Madison data breach and subsequent litigation [view related posts here, here, here, and here]. On December 14th, Ashley Madison announced that it has agreed to pay $1.6 million and implement additional security measures to settle claims brought by the Federal Trade Commission (FTC) and multiple state Attorneys General over the data breach that occurred in July of 2015.
The FTC and the AGs allege that Ashley Madison failed to protect the personal information of over 36 million users, 19 million of whom were from the U.S., and that users were deceived into participating on the site with fake profiles of women. In particular, the FTC was critical of Ashley Madison’s use of “fembots,” which impersonal real women on the site which “tricked” users into signing up for paid memberships.
According to the Vermont AG “Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website.”
During its investigation, the FTC found that Ashley Madison failed to develop and implement a Written Information Security Program (WISP), did not have reasonable access controls and did not train its employees on data security.
The settlement illustrates the importance of having appropriate data security measures in place, including a WISP, and training employees on data security.