Searching for "ashley"

What Dating Companies need to know about the Ashley Madison case

By – Steve Baker

January 17, 2017

On December 14, 2016 the U.S. Federal Trade Commission announced a settlement in the Ashley Madison case, along with 13 different US states and the District of Columbia.   Ashley Madison also settled with the Privacy Commissioners of Canada and Australia.

As a result, Ashley Madison is now subject to a permanent injunction, and has agreed that its liability was $8.75 million.  Because the company could not pay this sum it instead agreed to pay $1,657,000 as restitution, half going to the FTC and half to the states.

 What was the Ashley Madison business?

Ashley Madison advertised itself as a site to find someone interested in having a discrete extramarital affair.   Members paid through credit card.  Though based in Toronto, it operated in 46 countries around the world.  Ashley Madison’s revenues in 2014 were more than $100 million.  The company’s earned an estimated $47.4 million from U.S. members alone in 2015.

Since 2002 Ashley Madison has had about 19 million U.S. members.  15.7 million of these are males; 3.19 million were women.  Ashley Madison had information on some 36 million people, including 19 million people in the U.S.  There were also about 1 million members in Canada and 670,000 in Australia.

Members could create a profile for free, but only those who upgraded to paid memberships could send messages, chat in real time, or send virtual gifts.  Those interested in quitting Ashley Madison were offered an option of a “full delete” of all of their information and emails for an additional $19.

Who were the defendants?

The settlement was with Ruby Corporation (formerly known as Avid Life Media) Ashley Madison, and ADL Media.  Thus the settlement binds not only Ashley Madison, but also the other dating sites operated by the company — Cougarlife.com, Establishedmen.com, and Mancrunch.com.  It did not name the owners or operators of Ashley Madison individually.

 

Why was there a case?

In July 2015 someone hacked into the Ashley Madison computer system and stole data on the accounts of some 36 million users.  The “Impact Team” demanded that Ashley Madison stop operating both that dating site as well as that of Establishedmen.com, and threatened to make the information public if Ashley Madison did not do so. When Ashley Madison failed to comply the hackers did make the stolen information public.

 

What was Ashley Madison charged with?

The FTC and the States focused on both deceptive claims made in its advertising and marketing, as well as on Ashley Madison’s security practices.

Deceptive claims.

The FTC complaint asserts four types of deception.

  1. That the company had taken reasonable steps to protect the security of member’s information; 2. That Ashley Madison had received a “trusted security award,” when it had not,
  2. That many of the communications received were from real women when they were not,
  3. That the company would delete all the information of members that paid $19 for the full delete option.

 

In addition, Ashley Madison was charged with “unfair” practices by not taking reasonable steps to prevent unauthorized access to their system.  We explain each of these issues in turn.

Security Award

On its web site Ashley Madison had a seal that said “trusted security award.”  See it here.  Ashley Madison admitted that it simply made this up.  There were no separate third parties that had bestowed this on the company.

Use of fake profiles

Ashley Madison also created fake profiles of women.  This was an effort to get recipients to become full members who could communicate with others using the web site.  In 2014 they had 28,417 “engager” profiles on their site, all but three of which were of women.  Thus when someone first came to the site, and had not yet paid for a full membership, they would receive winks and emails from these fake profiles.  But members could not respond without upgrading to a paid full membership.  The FTC complaint states that this practice only took place until August 2014.

 

However, there were newspapers reports in  2013 that Ashley Madison had been sued by a former employee who alleged she got carpal tunnel by typing up 1000 fake profiles for the company to use in a new website for Brazil.

 

Though it seems not to have been addressed by the settlement, those who examined the Ashley Madison data stated that of the 37 million profiles on the dating site reported that at most 12,000 belonged to women who were active on the site.

This is the second time that the FTC has taken action against a dating company using fake profiles to get people to enter their credit card information and sign up for a paid membership. The same allegations were made in the FTC’s case against JDI Dating.  In addition, several years ago the Australian Competition and Consumer Commission took legal action against Jetplace for using fake profiles.

The Full Delete

Ashley Madison advertised that if a member ever decided to quit the service it would delete their “digital trail” by deleting any messages sent or received, profiles, usage history, photos, etc.  Only after purchasing did members learn that Ashley Madison would keep “some” information for 6-12 months for “legal and financial” reasons.  Many of these profiles were also part of the hacked information.

The “legal and financial” reasons seem to have been keeping the information to counter possible  credit card chargebacks.  The Report of the Privacy Commissioners seems to have accepted this as a valid reason, although they noted that there was no reason for keep profile pictures.  The FTC order requires that Ashley Madison disclose its terms and conditions on deleting profiles.

Security Issues

Not surprisingly, Ashley Madison stressed its security measures in its advertising with statements such as “Our service is 100% secure,” “risk free,” and “completely anonymous.”   The Canadian and Australian Privacy Commissioners released a report detailing the steps Ashley Madison had, or had not, taken to protect the security of its information.  It does appear Ashley Madison did make some real efforts to try to keep its information secure, and that after the breach it took more steps to beef up its security.

How Did the Breach Happen?

The report of the privacy commissioners suggests that this is what happened. Ashley Madison employed a virtual private network to allow remote access to its systems.  To access this, you needed a password and also a “shared secret,” that was common for everyone.  Ashley Madison does not seem to have terminated passwords for employees or contractors after they left.  At least one server was not protected by a password – thus allowing access to all servers.   In addition, many passwords and encryption codes were in plain text on the servers.

Before the data was stolen the hackers seem to have spent several months examining the Ashley Madison systems, gaining administrative access, and modifying logs that would have showed the access. The Privacy report suggests that the breach may have begun with a payment processor.

 What data was stolen and released

The Report also shows three categories of data were breached and released:

  • Profile information, including gender, date of birth, and information such as “my intimate desires.”
  • Account information, such as members’ password, security questions and answers; and
  • Billing information, including real names, billing addresses, the last four digits of credit cards and, in some cases, full credit card numbers.

Effects of the Ashley Madison Data Breach

Obviously the release of this information could, and did, have a serious effect on the life of the Ashley Madison members.  In addition to the obvious embarrassment members suffered and resulting divorces, there were press reports that some of these members were subject to extortion attempts and reportedly at least four suicides resulted.  Many members communicated through Ashley Madison from their work email instead of their homes, for obvious reasons, and thus both federal and state email addresses were disclosed.  Governments obviously looked through that information for employees who had been engaging in activities at their place of work.

Notifying Members of the Breach

One key component of most laws dealing with data breaches is a requirement that a company notify those whose data was compromised.  After learning of the breach Ashely Madison issued press releases and set up a dedicated phone line and email inquiry facility to let members contact the company.  It later provided written notification by email to users in some countries, including Canada, Australia and, presumably, the U.S.

Neither the FTC nor Australia/Canada addressed the notification aspect in their actions.

What flaws did the FTC find in the Ashley Madison security system 

Here are the failures itemized in the FTC complaint. Note that most of them address shortcomings in password protection and access to its system.  It is not a short list:

  • Failed to have a written organizational information security policy.
  • Failed to implement reasonable access controls, specifically Ashley Madison
  • Failed to regularly monitor unsuccessful login attempts
  • Failed to secure remote access
  • Failed to revoke passwords for ex-employees of their service providers
  • Failed to restrict access to systems based on employee’s job functions
  • Failed to deploy reasonable controls to identify, detect, and prevent the retention of passwords and encryption keys in clear text files on Defendant’s network, and
  • Allowed their employees to reuse passwords to access multiple servers and services
  • Failed to adequately train Defendant’s employees personnel to perform their data security-related services, and
  • Failed to ascertain that third-party service providers implemented reasonable security measures to protect personal information. For example, Defendants failed to contractually require service providers to implement reasonable security, and failed to use readily available security measures to monitor their system and assets at discrete intervals to identify data security events and verify the effectiveness of protective measures.

 Does this case resolve all legal claims against Ashley Madison?

No.  Needless to say, there have been a number of class actions filed against Ashley Madison.

In addition, since Ashley Madison operated in more than forty countries there is nothing to prevent other government agencies from taking additional action.  Finally, civil settlements like that of the FTC do not prevent criminal charges.

 

Why is Ashley Madison being singled out instead of whoever hacked their system?

Ashley Madison may well contend that it is the victim here, that the breach was done by someone else and that it has already suffered the consequences of its actions.  This approach, however, overlooks the fact that it was the information of its members that was stolen from Ashley Madison, and that the company had pledged to keep it secure.

Obviously legal action can also be taken against those who hacked its systems.  That has not happened so far, but it would be hard to believe that law enforcement agencies have not investigated this.

What will FTC do with the money?

The FTC recovers money in fraud cases to return to victims, and has discretion to decide if refunds directly to victims are practical or not. If the FTC does not give money back to victims the money goes to the U.S. Treasury. The FTC keeps none of it.

 What does the order require Ashley Madison to do?

The Ashley Madison court order prohibits the deceptive claims charged in the complaint to U.S. individuals, and also prohibits the company from misrepresenting the actual number of users it has, and in particular the actual number of women users.  The order also addresses “engager” profiles and whether profiles were created by the company. The order also requires that the company have detailed and comprehensive security measures in place.

 

As most other FTC data security cases, the order requires Ashley Madison to hire a third party to perform an initial security assessment and then to do so again every two years for twenty years, and submit those reports to the FTC.  These assessments can be quite costly.   Finally, Ashley Madison must keep appropriate records and file reports to the FTC demonstrating that it is complying with the order.

Violations of a permanent injunction are contempt of court, which can be handled either as civil contempt (to bring someone into compliance with an Order) or as criminal contempt (punishment for violating a court order).

Consumer Lessons for Dating Companies

  • When you operate in many states and countries you are subject to legal action in each of these.
  • Data Security is increasingly important
  • Don’t lie about how many members you have
  • Don’t use fake profiles or bots to urge people to sign up for paid memberships
  • Hiding key information in terms and conditions is not going to prevent legal action. Be sure people actually know key information
  • Make sure people know how long they are signing up for, and that they understand auto renewals
  • Make sure people know how to cancel and that doing so is not difficult
  • If you use third party seals make sure they are real
  • Do read complaints from members
  • Do your utmost to keep romance scammers off your sites

 

Resources

FTC press release

Canadian Privacy Commissioner press release

FTC complaint

FTC order

Report of Privacy Commissioners

Canada compliance agreement

Australia undertaking (legal order)

BFR 10/5/17

TOP STORIES
More develops on Nigerian scammer arrested for business email compromise fraud

New Yorker:  Court appointed guardians at times just throw older victims into nursing homes and take their money

Robocalls getting worse: FTC Senate testimony on robocalls

  • Agency got 3.4 million robocall complaints in 2016
  • Already at 3.5 million complaints first eight months of this year
  • Top subject of these calls reducing debt; vacation and timeshares; warranties and protection plans

Europol releases 76 page Internet Organized Crime Threat Assessment

  • Says ransomware attacks have eclipsed most other global cybercrime threats
  • Anticipate more attacks on systems launched from Internet of things devices
  • Counterfeit EU credit cards being used mostly in the US

Tip of the week:  Who the hell is calling me? Do an internet search of the phone number. There are bulletin boards that post information on scammy calls, and often some people will have a good idea of what is going on with the calls.

Equifax Data Breach Updates 

Pet Fraud
Washington Post article; Idaho article; Boston Globe; Chicago Tribune

Fraud News From Around the World

FTC and CFPB

Investment Fraud

Tax Fraud

Ransomware

Romance Frauds

ATM Skimming

Jamaican Lottery Fraud

Just for fun….

The Juggler at Ford’s Theater

BAKER FRAUD REPORT #6 2/9/17

February 9, 2017

Just in time for Valentine’s Day — Romance scams

Nigerian Romance Fraudster Olayinka Sunmola Sentenced to 27 years in federal prison – prosecuted  in the Southern District of Illinois.

Sunmola operated from South Africa, often impersonating an officer in the U.S. Army.  He defrauded at least 100 women, several of whom even bought wedding dresses in anticipation of their marriage to him when he arrived.  Sunmola also used stolen credit cards to steal laptops and other electronic gear worth over $1 million, which he had his victims ship to him in South Africa.  In addition to prison, Sunmola was ordered to pay $1.7 million in restitution.   The South African police have sold Sunmola’s home and other assets in South Africa, and $200,000 has been turned over to the court for return to victims.

In sentencing Sunmola the court relied not only on evidence of financial losses, but also the devastating emotional impact his fraud had on victims.  At the conclusion of his time in prison he will be deported to Nigeria.  For a full description of this case click here.

Nigerian romance scammer, senior member of “black axe” faces extradition from Canada

Akohomen Ighedoise admitted that he impersonated a US Army General and defrauded a Toronto widow of $609,000.  He now faces extradition from Canada to the US.  Canadian officals also charge that Ighedoise is a senior member of the Black Axe, also known as the Nigerian Mafia.   The Black Axe is alleged to operate around the world, and is suspected of murdering scores of people around the world.

Three Nigerians who had been extradited from South Africa convicted in Southern District of Mississippi after three week trial.  They were convicted of a variety of crimes including romance scams, fake check scams, reshipping scams and other fraud.  21 other defendants have also been charged in this major effort.  Last summer that office extradited six Nigerians from South Africa.

Ashley Madison documentary now airing on Netflix in the US

Ashley Madison is the dating site for extramarital affairs that had a massive data breach, including names and photos of millions of cheating spouses.  A documentary called “Sex, Lies, and Cyber Attacks aired in the UK and is now being released here.  In addition, the Federal Trade Commission and the Privacy Commissioners of Canada and Australia recently settled a case against Ashley Madison, dealing not only with Ashley Madison’s false promises that it made sure that its data was secure, but also alleging that many, or most, of the women on the site did not really exist.   See this article providing essentials on this settlement.

Changes at the Federal Trade Commission

The President has named FTC Commissioner Maureen Ohlhausen as Acting Chair of the FTC.  She has named Tom Pahl Acting Director of the Bureau of Consumer Protection.  Both are highly respected.

New Identity theft Survey for 2016

Key points:

  • Identity theft increased 16% from 2015
  • Two million more victims
  • Losses up to $16 billion for 2016
  • Use of stolen credit cards over the internet and on the phone went up 40%
  • Use of stolen cards used in person stayed level
  • New chip cards may be reason for the change
  • New account fraud – applying for a credit card in someone else’s name – nearly doubled
  • Losses from account takeover fraud up 61%, estimated losses $2.3 billion
  • Hijacking of mobile phone accounts nearly doubled

Increase seen in “binary options” investment fraud

The Canadian Anti-Fraud Centre (formerly known as Phonebusters) has seen a strong increase in this type of investment fraud in the last year or so.  According to press reports there may be 100 or more boiler rooms operating out of Israel and defrauding victims around the world out of billions of dollars.   There was a recent suicide by one Canadian investor, and last month police and regulators around the world met to discuss this problem.

Ransomware

Ransomware  Shuts down government of Licking County Ohio

UK arrests two for ransomware on DC police surveillance cameras

Video explains how ransomware works

 Fake Checks

New FBI warning on fake check scams targeting college students

Fake jobs for college students.  They are sent a fake check, deposit it, and send money to a supposed third party.

Jamaica

Jamaican in Schenectady NY sentenced to 41 months in prison.  Used bogus sweepstakes mailings, then collected funds from victims and sent part to Jamaica.

Press release from indictment

Newspaper column in Jamaica on the problem of lottery scammers

Business Email Compromise, or CEO fraud, now hitting Homeowners

In the last year or two there has been a dramatic increase worldwide in frauds that use emails  impersonating CEO’s and other senior executives and instructing financial officers to wire money to accounts controlled by the fraudsters.  The FBI reports businesses are losing billions. In addition, this fraud has now begun targeting personnel officials, telling them to send along the W-2’s of groups of employees, which can then be used for ID theft or to file bogus tax returns.

The FBI says this fraud has taken a new turn – emails supposedly from lenders or title companies telling those who have just sold their home to wire the down payment needed for a new home to the crooks.  The FBI says this has increased a great deal over the last six months. This video does a good job explaining how this works.  Feel free to share.

Facebook Fraud

Woman in Cape Coral FL received message on Facebook from “friend” who told her she had qualified for a free government grant of $20,000; sends $300 through Western Union to Nigeria

NPR internet search finds fake phone number for facebook.  Victim told to solve problem he needed to buy iTunes gift cards

Grandparent Fraud

77 year old woman in Springfield, MO sends $2500 through MoneyGram for a grandparent fraud; man arrested in Tewksbury, MA when he picks up money

Police in Ramapo NY arrest grandparent fraudster

Other Recent Enforcement

New Legislation

Legislation Introduced by Senators Collins and McCaskill would train financial professionals and allow them to report suspicions about financial abuse of elderly customers

Just for Fun

Click here for spectacular pictures from around the world