Ashley Madison's parent company has agreed to pay $11.2 million to settle a class-action stemming from a disastrous data breach that exposed the names, email addresses and user names of 36 million customers.
If accepted by U.S. District Court Judge John A. Ross in St. Louis, Mo., the settlement will resolve claims that the extramarital dating site failed to use adequate security measures to protect people's data, and failed to delete users' data -- even after people paid an extra fee to insure that data about them was scrubbed. The deal also resolves claims that the company duped people into signing up by showing them fake profiles of women.
Ashley Madison did not admit wrongdoing as part of the deal.
The data breach, which occurred in 2015, reportedly was linked to at least two suicides. It also was reportedly linked to divorce proceedings and blackmail attempts. The parent company's former CEO, Noel Biderman, resigned soon after the hack.
The proposed settlement enables users to submit claims up to a maximum of $3,500 per person -- though the amount recovered will depend on factors like whether the users suffered identity theft as a result of the data breach. The total amount will also depend on how many of Ashley Madison's users submit claims.
News of the settlement comes several months after the company resolved allegations brought by the Federal Trade Commission and 13 state attorneys general.
The FTC's complaint alleged that Ashley Madison falsely represented that it took "reasonable steps" to secure users' information, and that it lured people into signing up for memberships by showing them fake female profiles -- which the company dubbed "engager profiles."
In 2014, the dating site contained more than 28,400 fake female profiles, according to the FTC. Until August 2014, the site used those fake profiles to persuade 19 million Americans to pay for memberships, which enabled people to use features like online chatting. The FTC also alleged that Ashley Madison duped around 125,000 users by charging them $19 to delete their profiles, but retaining information about those people for up to 12 months.
That prior settlement figure came to $8.75 million, but the deal only required Ashley Madison to pay $1.65 million, with half going to the FTC and the other half to be divided between 13 states -- Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, Nebraska, New York, North Dakota, Oregon, Rhode Island, Tennessee, and Vermont. The remaining $7.1 million of the judgment was suspended.
Ashley Madison said late last week that the data that was posted online was not verified. "Merely because a person's name or other information appears to have been released in the data breach does not mean that person actually was a member of Ashley Madison," the company stated.
Ross is scheduled to hold a hearing on July 21 about the settlement.