The adultery website Ashley Madison will pay only $US1.66 million ($2.2 million) to settle US federal and state investigations into a 2015 hack that compromised 36 million user accounts while advertising the site was secure. The site's slogan at the time was, "Life is short. Have an affair."
The agreement was significantly discounted after the company — which changed its name to Ruby Corp from Avid Life Media Inc after the hacking scandal — was unable to pay the $US17.5 million ($23.6 million) penalty it had originally agreed upon. The remainder of the settlement (about 90 per cent) was suspended.
The settlement was made after investigations by 13 states, the US Federal Trade Commission (FTC) and District of Columbia found the company had been using unreasonably slack security measures during the time of the breach.
"This case represents one of the largest data breaches that the FTC has investigated to date," said FTC Chairwoman Edith Ramirez in a statement. "The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users' personal information from criminal hackers."
The company was accused of reckless disregard of its users data after about 10 GB were dumped on the internet that included users email addresses, names and details of sexual preferences and fantasies. The leaks ensnared politicians and public officials when about 15,000 government email accounts were identified in the trove of data that was published. The leaks also included the email address of former reality TV star Josh Duggar.
Perhaps even more egregious than Ashley Madison's bad security was its misleading business practices. The investigation led by government agencies found that that the company had created thousands of fake female profiles to lure horny men into paying for the service. Even worse, when users paid for a "remove all traces of your usage" option, the company retained all personal information on the back end. That means, ironically, some of these users were ensnared in the data breach.
The company claims to have shut down all fake profiles in the US in 2014, but by that point the company was already in rapid decline. Now that the company is bankrupt, it can't even afford to pay the price for the problems it created.