Ashley Madison owner settles with US government after data breach

A man looks at the Ashley Madison website in this photo illustration in Toronto on August 20, 2015. .
A man looks at the Ashley Madison website in this photo illustration in Toronto on August 20, 2015. . THE CANADIAN PRESS/Graeme Roy

Ruby Corp., the Toronto-based parent company of the adultery dating site Ashley Madison, will pay $1.6 million in settlements following an investigation led by the U.S. Federal Trade Commission into a massive breach of the company’s computer systems and the outing of millions of its members.

Hackers broke into the company’s systems in July 2015 and then posted the information online a month later after the company didn’t comply with their demands to shut down Ashley Madison. New York Attorney General Eric Schneiderman said Wednesday that reckless disregard for data security will not be tolerated. New York joined 12 other states, the District of Columbia and the FTC in the investigation.

New York’s attorney general said the investigation found lax data security practices and said the company made several misrepresentations, including a “Trusted Security Award” that appears to have been fabricated.

READ MORE: Ashley Madison broke Canadian privacy laws with ‘deceptive’ security practices: Privacy czar

It also found Ashley Madison created fake female profiles to entice male users. In some instances, the attorney general said, it used portions of the profile photographs of actual users who had not had account activity within the previous year as the photographs in the fake profiles that it created.

Story continues below advertisement

The website – whose slogan was “Life is short. Have an affair” – is marketed to people looking for extramarital relationships. It once purported to have about 39 million members.

LOOKING BACK: Ashley Madison says all is fine, subscriptions still coming in, females are real

Husbands and wives across the world were confronted with their partners’ extramarital affairs after the catastrophic leak spewed electronic evidence of infidelity across the internet. The hacking triggered extortion crimes and led to unconfirmed reports of suicides. Forums such as Reddit, a user-powered news and discussion site, carried stories of anguished husbands and wives confronting their partners after finding their data among the massive dump of information.

The New York attorney general’s office said the settlement with the company is for $17.5 million but said the remainder of the $17.5 million payment is suspended based on Ruby’s inability to pay.

Story continues below advertisement

READ MORE: Ashley Madison users continue to receive blackmail months after hack

In addition to monetary penalties, the attorney general’s office said Ruby agreed to cease engaging in certain deceptive practices, to not create fake profiles, and to implement a stronger data security program.

“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” FTC Chairwoman Edith Ramirez said. “The global settlement requires to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”

WATCH: Ashley Madison users harassed by scammers months after hack

Vermont Attorney General William H. Sorrell said in a statement that creating fake profiles and selling services that are not delivered is unacceptable behaviour for any dating website.

Story continues below advertisement

“Today’s settlement closes an important chapter on the company’s past and reinforces our commitment to operating with integrity,” Rob Segal, newly appointed CEO of Ruby, said in a statement.