OPW - Mar 13 - Courtesy of Steve Baker, formerly of the Federal Trade Commission...
On Dec 14, 2016 the U.S. Federal Trade Commission announced a settlement in the Ashley Madison (AM) case. As a result, AM has agreed that its liability was $8.75M. Because the company could not pay this sum it instead agreed to pay $1,657,000 as restitution, half going to the FTC and half to the states.
Why was there a case?
In July 2015, hackers stole data of 36M AM's users and made the info public.
What was AM charged with?
- Security issues
- AM made up "trusted security award", displayed on its website
- Use of fake female profiles
- AM failed to delete users' digital trail after paying $19 for "the full delete" service.
How did the breach happen?
AM employed a virtual private network to allow remote access to its systems. To access this, you needed a password and also a "shared secret," that was common for everyone. AM did not seem to have terminated passwords for employees or contractors after they left. At least one server was not protected by a password – thus allowing access to all servers. Many passwords and encryption codes were in plain text on the servers.
What data was stolen and released?
- profile info
- passwords, including security questions and answers
- billing info and, in some cases, full credit card numbers
Effects of the AM data breach
The release of this information had a serious effect on the life of the AM members (divorces, some member were subject to extortion attempts, reportedly ~4 suicides).
What flaws did the FTC find in the AM security system?
AM failed to:
- have a written organizational information security policy
- implement reasonable access controls
- regularly monitor unsuccessful login attempts
- secure remote access
- revoke passwords for ex-employees of their service providers
- restrict access to systems based on employee's job functions
- deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files
- adequately train employees to perform their data security-related services
- ascertain that third-party service providers implemented reasonable security measures to protect personal information AM allowed their employees to reuse passwords to access multiple servers and services
Does this case resolve all legal claims against AM?
No. There have been a number of class actions filed against the company.
Why is AM being singled out instead of the hackers?
AM may well contend that it is the victim here. But AM had pledged to keep the info of its members secure.
What will FTC do with the money?
The FTC recovers money in fraud cases to return to victims. If the FTC does not give money back to victims the money goes to the U.S. Treasury. The FTC keeps none of it.
What does the order require AM to do?
- no deceptive claims
- no misrepresentation of the actual number of users it has
- to have detailed and comprehensive security measures in place
- to hire a third party to perform an initial security assessment and then to do so again every two years for twenty years, and submit those reports to the FTC
- to keep appropriate records and file reports to the FTC demonstrating that it is complying with the order
Lessons for dating companies
- When you operate in many states and countries you are subject to legal action in each of these
- Data security is increasingly important
- Don't lie about how many members you have
- Don't use fake profiles or bots to urge people to sign up for paid memberships
- Hiding key information in terms and conditions is not going to prevent legal action. Be sure people actually know key information
- Make sure people know how long they are signing up for, and that they understand auto renewals
- Make sure people know how to cancel and that doing so is not difficult
- If you use third party seals make sure they are real
- Do read complaints from members
- Do your utmost to keep romance scammers off your sites