Ashley Madison, the dating site for adulterers whose customer list was hacked last year, will pay $8.75 million fine and submit to having its data security monitored for 20 years by the Federal Trade Commission.
While the company doesn’t admit or deny any wrongdoing, it will pay out the cash and follow prescribed actions to establish and maintain a secure network that protects its customers’ data, and to have that action verified periodically by third-party security auditors.
+More on Network World: 20 years ago: Hot sci/tech images from 1996+
The case is a cautionary tale for online vendors who don’t take appropriate steps to secure the personal information of their customers. Failure to do so can be costly and long-lasting in addition to being damaging to the reputation of the affected company.
With Ashley Madison, information about 36 million of its customers were stolen and released online. And in the complaint filed in federal court, the FTC says Ashley Madison failed in some cases to delete customer data from its system despite charging a fee for doing so.
The complaint says the company engaged in deceptive practices by promising its site and transactions were secure and that it made up a “trusted security award” it claimed had been awarded to the site.
Ashley Madison agreed to a federal court order that requires it to:
- Install a director if IS
- Perform a risk assessment to protect customer data
- Upgrade systems based on the assessments
- Offer periodic assessment of controls put in place to safeguard against the risks
- Conduct biennial third-party review of the security by a CISSP, CISA, holder of GIAC from SANS Institute or someone else who is deemed qualified by the FTC for 20 years
- Require similar safeguards from their service providers
A separate segment of the order prohibits the company from misrepresenting how secure its sites are and how well it maintains customer privacy. It is also prohibited from making false claims about any security programs it participates in and any awards it receives.
The security steps the company must take are relatively vague. For example, the outside audits must certify that the security program “is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of personal information is protected…”
Still, given that a certified outsider must make that determination, it creates a significant and long-lasting burden.
The Ashley Madison breach came to light last August when a group that disapproved of the adulterous nature of the company’s services posted 9.7GB of data pertaining to its customers. The data posted by a group calling itself The Impact Team included customer birthdates, marital status, answers to security questions, sexual preferences and some credit card numbers and billing addresses. It also included information about customers who had paid $19 to have their data fully deleted, according to the complaint.