The operators of the Ashley Madison affair-minded dating website agreed Wednesday to pay a $1.6 million penalty over a data breach exposing data from 36 million users, US officials announced.
Ashley Madison’s Canadian parent company Ruby agreed to the penalty to settle charges with the US Federal Trade Commission and state regulators for failing to protect confidential user information.
The settlement comes after a hacker group last year released what was said to be personal data on millions of members of Ashley Madison, who were based in 46 countries. The fallout led to reports of blackmail and even suicides.
The financial penalty, split between the federal government and US states suing the company, would increase to $8.75 million to the FTC plus $8.75 million to states if Ashley Madison fails to abide by new information security practices and refrain from misleading consumers.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC chairwoman Edith Ramirez.
“The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users’ personal information from criminal hackers going forward.”
Ramirez said the penalty being paid is too small to allow for “redress” or compensation to affected consumers, noting that compensation is rarely obtained in data security cases.
“We want them (the company) to feel the pain, we don’t want them to profit from unlawful conduct,” Ramirez told reporters in a conference call.
But she added that “it would not serve the public interest to put them out of business.”
Earlier this year, the dating website — whose motto had been “life is short, have an affair” rebooted, calling itself an “open-minded dating” service.
The company said at the time it will no longer use female “bots” or automated programs that respond to members pretending to be women on the hunt for men. According to the FTC complaint, until August 2014, operators of the site lured customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members.
The company failed to adequately protect users’ personal information such as date of birth, relationship status and sexual preferences, according to the complaint.
The company confirmed the settlement, saying it would help it move past the hacking episode.
“Today is a pivotal day for our members and for Ashley Madison,” said a statement from Ruby chief executive Rob Segal.
“Today’s settlement closes an important chapter on the company’s past and reinforces our commitment to operating with integrity and to building a new future for our members, our team and our company.”
The settlement followed an investigation in cooperation with consumer protection authorities in Canada and Australia. Thirteen US states plus the federal District of Columbia joined the lawsuit.