Owners of Ashley Madison Enter Into Settlement with District, Other States, and FTC Concerning Data Breach

WASHINGTON, D. C. – Attorney General Karl A. Racine announced today that the District, 13 states and the Federal Trade Commission (FTC) have reached a consumer-protection settlement with ruby Corp., ruby Life, Inc. and ADL Media, Inc., the owners of the Ashley Madison website (referred to collectively as “Ashley Madison”). The settlement resolves allegations that Ashley Madison failed to take reasonable steps to secure the personal information of users of their website, leading to a highly publicized Ashley Madison data breach in July of 2015.

The settlement includes a penalty of $1,657,000, which may increase to as much as $17.5 million pending a review of the company’s financial records.

“Companies offering online services have a special responsibility to protect the personal and financial information of their customers, and Ashley Madison failed to live up to that responsibility,” Attorney General Racine said.

The Ashley Madison dating site catered to individuals wishing to have affairs. In July 2015, the site was hacked and millions of Ashley Madison members’ user information (including photographs, usernames, email addresses, communications, and other profile information) was posted online. Attorney General Racine further alleged that Ashley Madison had created thousands of fake user profiles on its website, misrepresented the strength of its security, and sold a “Full Delete” option which it did not carry out in all instances.

In addition to agreeing to pay the monetary penalty, Ashley Madison agreed to cease engaging in certain deceptive practices, to refrain from creating fake profiles, and to implement a stronger data security program. The multistate enforcement action, in addition to the District of Columbia, included Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, North Dakota, Nebraska, New York, Oregon, Rhode Island, Tennessee and Vermont. The settlement must still be approved by the D.C. Superior Court.

Consumers with concerns about identity theft and privacy on the Internet can contact the Office of the Attorney General’s Consumer Protection Hotline at (202) 442-9828, send an e-mail to consumer.protection@dc.gov, or submit an online complaint on OAG’s website.