The owner of dating site Ashley Madison has agreed to pay $1.6 million to settle a Federal Trade Commission investigation and state charges related to the 2015 data breach, the FTC announced Wednesday.
"This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide," FTC Chairman Edith Ramirez said in a news release. "The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users' personal information from criminal hackers going forward."
Twelve states, including Arkansas and the District of Columbia, were part of the settlement. Arkansas will receive $52,830 as part of the deal, according to the attorney general's office.
"While I do not condone the activities of those who joined the Ashley Madison website, it is my job as Attorney General to take action when Arkansans' data is breached," Attorney General Rutledge said in a statement Wednesday. "The false actions taken by this corporation were wrong and exposed countless members to potential fraud."
Ruby, the Canadian company that owns Ashley Madison, said the proposed settlement will help the company and its members move on.
"Today's settlement closes an important chapter on the company's past and reinforces our commitment to operating with integrity and to building a new future for our members, our team and our company," Chief Executive Officer Rob Segal said in a statement. Segal was appointed in April and has sought to rebrand the company, including changing its name from Avid Life Media to Ruby.
The Ashley Madison hack was notable in part because the site aimed to help people discretely cheat on their significant others, yet the data breach left personal information about its users exposed. Hackers who called themselves the Impact Group posted a large cache of data stolen from the site online, which was quickly turned into a searchable database that wreaked havoc on some users' lives.
It also revealed that the site created fake users to lure men into paying for premium messaging service -- a practice the FTC calls deceptive and has cracked down on before.
[EMAIL UPDATES: Sign up for free breaking news alerts + daily newsletters with top headlines]
Ruby has since said it stopped using bots. Under the terms of the proposed settlement, Ruby would be barred from using such deceptive practices in the future and required to set up a comprehensive security plan, according to the FTC.
The proposed settlement calls for an $8.75 million judgment against Ruby, but the company won't actually be on the hook for that full amount. Instead, the bulk of that figure will be "partially suspended" after it pays $828,500 to the commission, according to the FTC's news release.
Ruby will also have to pay $828,500 to a coalition of 13 states and the District of Columbia that worked with the FTC on the settlement. The combined amounts equal $1.6 million. If the government finds that the company misrepresented their financial circumstances, then Ruby may have to pay the full judgment. The deal will become official once a federal district court judge signs off on it.
Ruby had already entered into a compliance agreement with Canadian privacy regulators that requires the company to improve its security, and it had made similar arrangements with Australian authorities. Officials from both countries collaborated on an earlier investigation of the breach and assisted the FTC's investigation, according to the agency's news release.
"In the digital age, privacy issues can impact millions of people around the world," Canadian Privacy Commissioner Daniel Therrien said in a statement. "It's imperative that regulators work together across borders to ensure that the privacy rights of individuals are respected no matter where they live."
Business on 12/15/2016