There are a number of ways that hackers can impact an individual or an organization. They can steal personal and private information and use it for identity theft and they can run ransomware that holds data hostage unless a ransom is paid. The impact on individuals and businesses can be devastating.
Another impact of attacks and data breaches can be legal and regulatory, namely when an organization is found guilty of negligence in protecting user information. That is exactly what occurred with the Ashley Madison data breach, where the records of 36 million users were leaked — the Federal Trade Commission (FTC) has agreed to a $17.5 million settlement with the site’s operators, Ars Technica reports.
Ashley Madison is a site aimed at matching individuals who are looking for discrete relationships. The very nature of the site means members do not want their information shared and the August 2015 hack was particularly egregious for those whose identities were revealed. The hackers let loose usernames, full names, passwords, and some other identifying information such as addresses and credit card information.
It wasn’t just the leaked information that caused the FTC to impose the fine. In addition, Ashley Madison was found to have failed to follow up on the terms of a $20 “Full Delete” fee whereby user information was supposed to be purged and was not. In addition, the site operators were dinged for creating fake “female” user accounts to attract new members.
While the total settlement is $17.5 million, the FTC agreed to allow Ashley Madison’s operators to pay only $1.6 million after considering what they could actually afford to hand over. There is an “avalanche clause,” however, that remains in effect and whereby the entire $17.5 million will become due if the operators are found to be able to pay more. They will also be required under the terms of the FTC’s ruling to implement new data security protocols and to submit to third-party auditing to ensure that user data is being protected.
The FTC cannot easily determine how much to fine sites like Ashley Madison because it is difficult to determine monetary damages based on the harm caused by such data breaches. In this case, the FTC also cannot return the $20 fee customers paid to have their data deleted. In the end, the most that members can hope for is that the fine was sufficient to compel the site’s operators to lock things down more tightly.