Proposed US Settlement Follows Massive 2015 Data Leak by ‘Impact Team’ Hackers
Ashley Madison wants to put that sordid data breach affair behind it.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
On Friday, Ashley Madison parent company Ruby Life, née Avid Dating Life, announced that it’s reached an $11.2 million settlement agreement with plaintiffs in a consolidated lawsuit that was filed against the infidelity dating site following its massive July 2015 data breach.
The full terms of the settlement agreement have yet to be approved by the court. But the proposal calls for Ruby to contribute “a total of $11.2 million to a settlement fund,” designed, in part, to compensate “settlement class members who submit valid claims for alleged losses resulting from the data breach and alleged misrepresentations” tied to Ashley Madison, Ruby says in a statement.
“While Ruby denies any wrongdoing, the parties have agreed to the proposed settlement in order to avoid the uncertainty, expense and inconvenience associated with continued litigation, and believe that the proposed settlement agreement is in the best interest of Ruby and its customers,” Ruby’s statement adds.
A third of the settlement fund – $3.7 million – would go to attorneys’ fees, costs and expenses.
The remaining $7.5 million would be split between victims who used the Ashley Madison website on or before July 20, 2015, with a maximum reimbursement of $3,500 per individual. Court documents outlinel the proposed breakdown:
- Full delete: For anyone who spent $19 to purchase “full delete,” “paid delete” or “complete profile removal service (up to $500 per person, based on what was actually spent);
- Credits: Customers who purchased credits for messaging on the site (up to $500, based on every dollar actually spent on a credit);
- Losses: Suffering unreimbursed losses (up to $2,000, based on actual, documented monetary losses);
- PII: Customers whose personally identifiable information was released, due to the breach (up to $500 per individual).
To help spread the word about the proposed settlement, Ruby says in court documents that it would advertise the settlement in People and Sports Illustrated magazines. According to a market research firm commissioned by Ruby, such advertising would reach 75 percent of Ashley Madison’s current and former customer base.
According to the Federal Trade Commission, 19 million Ashley’s Madison customers were based in the United States, while the remainder of its 36 million users were located in 45 other countries.
On Dec. 5, 2015, 24 cases in the United States – relating to the release of personal data tied to the Ashley Madison data breach, as well as claims that the service manipulated male customers by using automated chat bots – were transferred to the U.S. District Court for the Eastern District of Missouri, to be heard by Judge John A. Ross (see No Surprise: Ashley Madison Breach Triggers Lawsuits ).
The next month, Ross ordered the plaintiffs to file a consolidated suit, which they did on June 3, 2016.
The consolidated lawsuit alleges that Ashley Madison’s parent company misrepresented that it had taken reasonable steps to secure the site. It also alleges that the company violated the Racketeer Influenced and Corrupt Organizations Act and the Federal Stored Communications Act, was negligent, breached an implied contract, and violated state consumer fraud and protection – as well as breach notification – statutes, among other charges.
The July 2015 Ashley Madison breach catapulted the service – and its users – into headlines, in part, because of its lurid nature, as encapsulated by the hookup site’s tagline: “Life is short. Have an affair.”
In July 2015, a hacker or group calling itself the Impact Team gave Avid an ultimatum: Shutter Ashley Madison and a sister site, “Established Men,” or prepare to see sensitive corporate communications and customer data get dumped. The group also claimed that the site engaged in fraudulent practices and highlighted how customers had to pay an additional fee to delete their data from the site.
Ashley Madison stayed open for business, and the Impact Team followed through on its threat. Via three batches of dumps, attackers released nearly 30 GB of data, including information from 36 million accounts. Details included not just customer names, email addresses, postal codes, partial credit card numbers and hashed passwords, but also GPS coordinates.
Information leaked by Impact Team suggested Avid also failed to delete former customers’ details, even after they’d paid a $19 fee – unheard of for a service to charge – for that service.
Details released by regulators have revealed that Avid had in place information security practices that could only be described as lackluster. That included employees sharing passwords via plaintext emails, storing encryption keys in plaintext, failing to password-protect an SSH shell on a server – allowing the attacker to use it to connect to other corporate servers – as well as failing to use an intrusion detection system or prevention system, or event monitoring tools that might have detected the breach or subsequent data exfiltration (see Researchers Crack 11 Million Ashley Madison Passwords).
The breach quickly became a lesson in the perils of trusting an online site with sensitive information because the dumped data made it easy to identify many members of the infidelity-focused website.
Divorce lawyers said they anticipated a bonanza of business thanks to the breach.
Reborn as Ruby
Following the breach, Avid Life Media renamed itself Ruby. Gone too was the site’s CEO as well as the infamous Ashley Madison tagline, in favor of “Find your moment.”
Ashley Madison now bills itself as “the original extramarital affairs site.”
Since the breach occurred, Ruby says that it has “implemented numerous remedial measures to enhance the security of its customers’ data.”
The company also sent takedown letters to website owners or service providers associated with sites that were hosting leaked data. “After Avid issued such letters, many of the websites removed the offending content, including, for example, ashleymadisonleakeddata.com, www.cheaterleak.com, checkashleymadison.com, and isheonthelist.weebly.com,” according to court documents.
In response to subsequent investigations in Australia and Canada, Ruby agreed to comply with an extensive set of conditions and deadlines laid out by regulators. For example, by May 31, the company needed to put in place a policy to delete inactive accounts – and all related data – after an “appropriate period.”
Last December, the company agreed to pay $1.7 million to settle Federal Trade Commission and state charges that the company deceived consumers and failed to protect users’ account and profile information, without admitting liability.
Previous Accounts: Not Verified
Belatedly, Ruby noted in its Friday statement that at the time when Ashley Madison was breached, anyone could have created an account in anyone else’s name, because accounts were not verified for accuracy – for example, that an email address used to register an account was controlled by the registrant.
“Account credentials were not verified for accuracy during this time frame and accounts may have been created using other individuals’ information,” Ruby’s statement reads. “Therefore, Ruby wishes to clarify that merely because a person’s name or other information appears to have been released in the data breach does not mean that person actually was a member of Ashley Madison.”