The company behind Ashley Madison, the adultery enabling website, has agreed to pay a $1.6 million settlement related to a major data breach last year that exposed account details of 36 million users.
Ashley Madison’s operator, Toronto-based Ruby, is making the settlement for failing to protect the account information and for creating fake user profiles to lure in prospective customers, the U.S. Federal Trade Commission said on Wednesday.
In July 2015, a hacking group called Impact Team managed to steal the account details and then post them online a month later — potentially damaging the reputation of the customers using the adultery website.
The FTC alleges the Ashley Madison site suffered from lax security, allowing hackers to break in several times between Nov. 2014 and June 2015. The service also retained personal information of users who had paid $19 to delete their data from the site, the FTC said.
The agency also found that Ashley Madison had managed to attract customers, including 19 million from the U.S., partly through fake profiles of women designed to entice them into becoming paying members.
U.S. investigators initially wanted Ruby to pay $17.5 million in the settlement, but the remaining amount was suspended based on the company’s inability to pay, New York Attorney General Eric Schneiderman said in a statement.
As part of Wednesday’s settlement, Ruby is required to institute a comprehensive data security program to protect customers’ information. It must also undergo third-party audits to check for compliance.
Half of the $1.6 million will go the FTC, with the remainder paid to state authorities involved in the investigation.
“Today’s settlement closes an important chapter on the company’s past and reinforces our commitment to operating with integrity,” Ruby said in a statement.
However, as part of the settlement, Ruby “neither admits nor denies” the allegations made by the FTC in its investigation.
Earlier this year, privacy officials in Canada and Australia also found that the Ashley Madison website was using deceptive practices to attract customers. This includes marketing itself with a phony security award.
Ruby, formerly known as Avid Life Media, has apologized for the data breach and is attempting to revamp its operations with better security measures. The Ashley Madison site continues to operate and claims to have 50 million members.