FTC to Probe Cheating Spouse Site Ashley Madison

Written by

The US Federal Trade Commission (FTC) is set to probe Ashley Madison, the online site for married people looking to have affairs, in the wake of its high-profile data breach that exposed almost 40 million members to potential blackmail.

Ashley Madison (site slogan: “Life is short. Have an affair”) was hit last year by a hacking group called the Impact Team, which managed to lift email addresses, real names, partial credit card numbers, profile descriptions, postal addresses, GPS locations, sexual preferences, and details about the weight and height of users. Post-breach, the company lost more than a quarter of its revenue, according to Avid CEO Rob Segal.

He told Reuters that the fallout is about to get worse. While the FTC’s main goal in the probe has yet to be publicly stated, it should be noted that Impact Team claims that the site’s $20 “Full Delete” feature—which users paid for in order to have the privilege of disappearing from the Ashley Madison records (including the elimination of site usage history and personally identifiable information from the site)—was a “complete lie.”

Further, allegations have surfaced that the site was using fake profiles with chat bots to impersonate real women to talk to male visitors, in an attempt to lure them in. These so-called “fembots,” were shut down in the US, Canada and Australia in 2014, and globally by late last year, according to Ernst & Young. As a result, Avid is now facing two class action lawsuits, one in the US, and one in Canada.

The FTC is likely looking at both of these issues, as well as the security measures that the company had in place at the time of the breach and whether the company had been negligent (and fine-able).

Deloitte, which the company hired to help remediate the breach, found basic backdoors in Avid’s Linux-based servers, indicating the presence of unpatched holes and poor security hygiene in general. The firm also noted that Ashley Madison was not payment card industry (PCI) compliant (the company now hopes to achieve the first level of PCI compliance by September). Overall, Deloitte is having to completely overhaul the company’s systems.

"We had to basically reinvent their security posture," said Robert Masse, who leads Deloitte's incident response team.

And indeed, Segal told Reuters that the company’s spending millions on the project.

Segal said that going forward, the company, which has lost about a quarter of its income after the hack, may reinvent itself, moving away from the infidelity angle. Whether such a pivot could regain the trust of the online affair/dating/relationship set remains to be seen.

Photo © alphaspirit

What’s hot on Infosecurity Magazine?