Ashley Madison has tentatively offered a total of $11.2 million in compensation to users for a data breach which led to the exposure of 36 million accounts.
Late last Friday, affairs and dating website Ashley Madison’s parent company Ruby Life, formerly known as Avid Dating Life, said that an agreement has been reached between the firm and class action lawsuits brought against Ruby for the cybersecurity incident.
The adult dating site, designed with extramarital affairs in mind, was the victim of a successful cyberattack in 2015. At the time the service called itself “the last truly secure space on the Internet,” but it did not stop hackers from stealing databases full of user information and network data.
Lawsuits against the company alleged that Ashley Madison used inadequate data security practices and failed to protect user information, a serious issue especially concerning the nature of the service.
In addition, the complainants say that the service “misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure,” and users were involved in the breach despite paying a fee to have their information permanently deleted from the website.
The lawsuits, consolidated in the United States District Court for the Eastern District of Missouri, will be dropped should the courts agree to the settlement.
However, the devil is in the details.
According to Ruby, compensation will be made available to “settlement class members who submit valid claims for alleged losses resulting from the data breach and alleged misrepresentations.”
However, “merely because a person’s name or other information appears to have been released in the data breach does not mean that person actually was a member of Ashley Madison.”
If your information was included in the breach, you are not, therefore, automatically entitled to compensation. It appears to be the case that as account credentials were not verified for accuracy in 2015, Ruby is arguing that accounts could have been created using other individuals’ information, and so it will be up to claimants to prove they were who they said they were on the website — and that they experienced loss or damages because of the data breach.
“While Ruby denies any wrongdoing, the parties have agreed to the proposed settlement in order to avoid the uncertainty, expense, and inconvenience associated with continued litigation, and believe that the proposed settlement agreement is in the best interest of ruby and its customers,” the company says.
It may also be the case that previous users entitled to compensation simply want to lay the issue to rest and will not claim.
In December, the Federal Trade Commission (FTC) ordered Ruby to pay $1.6 million in charges for allowing the data breach to occur and was also told to create a comprehensive online security plan to keep future users’ data as safe from theft as possible.
The company’s use of fake profiles and bots to entice users to subscribe to paid accounts was also placed under scrutiny.
As Ashley Madison information was uploaded online and is available for sale on the Dark Web, the threat of blackmail by cybercriminals emerged soon after the breach and continues to be ongoing. Several months ago, a group using a Ukrainian domain sent out blackmail threats demanding $500 in Bitcoin from previous users.