TORONTO -- Ruby Corp., the Toronto-based parent company of the adultery dating site Ashley Madison, will pay $1.6 million in settlements following an investigation led by the U.S. Federal Trade Commission into a massive breach of the company’s computer systems and the outing of millions of its members.
Hackers broke into the company’s systems in July 2015 and then posted the information online a month later after the company didn’t comply with their demands to shut down Ashley Madison. New York Attorney General Eric Schneiderman said Wednesday that reckless disregard for data security will not be tolerated. New York joined 12 other states, the District of Columbia and the FTC in the investigation.
New York’s attorney general said the investigation found lax data security practices and said the company made several misrepresentations, including a “Trusted Security Award” that appears to have been fabricated.
“Reckless disregard for data security will not be tolerated,” Schneiderman said in a statement.
It also found Ashley Madison created fake female profiles to entice male users. In some instances, the attorney general said, it used portions of the profile photographs of actual users who had not had account activity within the previous year as the photographs in the fake profiles that it created.
The website - whose slogan was “Life is short. Have an affair” - is marketed to people looking for extramarital relationships. It once purported to have about 39 million members.
Husbands and wives across the world were confronted with their partners’ extramarital affairs after the catastrophic leak spewed electronic evidence of infidelity across the internet. The hacking triggered extortion crimes and led to unconfirmed reports of suicides. Forums such as Reddit, a user-powered news and discussion site, carried stories of anguished husbands and wives confronting their partners after finding their data among the massive dump of information.
The New York attorney general’s office said the settlement with the company is for $17.5 million but said the remainder of the $17.5 million payment is suspended based on Ruby’s inability to pay. It’s unclear why the company couldn’t afford to pay the entire settlement.
In addition to monetary penalties, the attorney general’s office said Ruby agreed to cease engaging in certain deceptive practices, to not create fake profiles, and to implement a stronger data security program.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” FTC Chairwoman Edith Ramirez said. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”
Vermont Attorney General William H. Sorrell said in a statement that creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website.
“Today’s settlement closes an important chapter on the company’s past and reinforces our commitment to operating with integrity,” Rob Segal, newly appointed CEO of Ruby, said in a statement.
Ashley Madison is still in operation, although now it advertises as providing a “discreet connection” for anyone.