Ashley Madison data breach results in $11.2million settlement

July 15, 2017 |

The Ashley Madison breach of 2015 when 25 gigabytes of data, including personal information was accessed and stolen was one of the biggest breaches to that date.  It also resulted in huge embarrassment for users of the Ashley Madison website and major reputational damage for Ashley Madison.  Not only did it suffer embarrassment in its client database being accessed but the resulting analysis of the leaked data indicated that only about 12,000 of the 5.5 million female accounts were used only a regular basis, the balance, some 99% were only used on the day they were registered.  This gave rise to the allegation that most of the female participants were in fact bots.  It was a disastrous time for Ashley Madison.  It was also a salient lesson in maintaining adequate data security, a lesson generally not learned given subsequent breaches, including multiple breaches at Yahoo.

Last Friday the parent company of Ashley Madison,Ruby Corp, announced that it will pay $11.2 million to settle a class action involving 37 million users of the site.  The statement provides:

Ruby Corp. and Ruby Life Inc. (ruby), and a proposed class of plaintiffs, co-led by Dowd & Dowd, P.C., The Driscoll Firm, P.C., and Heninger Garrison Davis, LLC, have reached a proposed settlement agreement resolving the class action lawsuits that were filed beginning July 2015 following a data breach of ruby’s computer network and subsequent release of certain personal information of customers of Ashley Madison, an online dating website owned and operated by Ruby Life Inc. (formerly Avid Dating Life Inc.)  The lawsuits, alleging inadequate data security practices and misrepresentations regarding Ashley Madison, have been consolidated in a multi-district litigation pending in the United States District Court for the Eastern District of Missouri.

If the proposed settlement agreement is approved by the Court, ruby will contribute a total of $11.2 million USD to a settlement fund, which will provide, among other things, payments to settlement class members who submit valid claims for alleged losses resulting from the data breach and alleged misrepresentations as described further in the proposed settlement agreement.  Since July 2015, ruby also has implemented numerous remedial measures to enhance the security of its customers’ data.

While ruby denies any wrongdoing, the parties have agreed to the proposed settlement in order to avoid the uncertainty, expense, and inconvenience associated with continued litigation, and believe that the proposed settlement agreement is in the best interest of ruby and its customers.  In 2015, hackers gained access to ruby’s computer networks and published certain personal information contained in Ashley Madison accounts.  Account credentials were not verified for accuracy during this timeframe and accounts may have been created using other individuals’ information.  Therefore, ruby wishes to clarify that merely because a person’s name or other information appears to have been released in the data breach does not mean that person actually was a member of Ashley Madison.

The plaintiffs’ consolidated class action complaint alleges that the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure and that the data breach resulted in the public release of certain personal information contained in AshleyMadison.com accounts and included account information of some users who had paid a fee to delete their information from the AshleyMadison.com website.

Further information regarding the settlement and the claims process will be made available if and when the settlement agreement is approved by the Court.

Reuters reports on it at Ashley Madison parent in $11.2 million settlement over data breach which provides:

The owner of the Ashley Madison adultery website said on Friday it will pay $11.2 million to settle U.S. litigation brought on behalf of roughly 37 million users whose personal details were exposed in a July 2015 data breach.

Ruby Corp, formerly known as Avid Life Media Inc, denied wrongdoing in agreeing to the preliminary class-action settlement, which requires approval by a federal judge in St. Louis.

Ashley Madison marketed itself as a means to help people, primarily men, cheat on their spouses, and was known for its slogan “Life is short. Have an affair.”

But the breach cost privately held Ruby more than a quarter of its revenue, and prompted the Toronto-based company to spend millions of dollars to improve security and user privacy.

Last December, Ruby agreed to pay $1.66 million to settle a probe by the U.S. Federal Trade Commission and several states into lax data security and deceptive practices, also without admitting liability.

According to Friday’s settlement, users with valid claims can recoup up to $3,500 depending on how well they can document their losses attributable to the breach.

Layn Phillips, a former federal judge who mediated the settlement, said in a court filing that the accord offered “a valuable recovery for the class in the face of many obstacles,” including Ruby’s preference that victims arbitrate their claims.

Lawyers for Ashley Madison users may receive up to one-third of the $11.2 million payout to cover legal fees, court papers show.

The case is In re: Ashley Madison Customer Data Security Breach Litigation, U.S. District Court, Eastern District of Missouri, No. 15-md-02669.

The case highlights how long and protracted data breach cases can be when regard is had to when the breach itself took place. The award per person in cases of this nature are quite limited however given there are a significant number of claimants the total can be significant.

On 22 February 2017 there will be mandatory data breach notification laws in Australia.  That means more notice of breaches which are all too often kept secret or details of which are keep very opaque.  The new legislative structure may provide incentive for class actions involving large breaches.

One Response to “Ashley Madison data breach results in $11.2million settlement”

  1. Ashley Madison data breach results in $11.2million settlement | Australian Law Blogs

    […] Ashley Madison data breach results in $11.2million settlement […]

Leave a Reply