The owner of AshleyMadison.com, a website which offers "discreet" dating services to users seeking extramarital affairs, has settled charges with states and the federal government following a hack last year that exposed 36 million users' accounts.
In a statement on Wednesday, the Federal Trade Commission (FTC) said the Toronto-based website owner, Ruby (formerly known as Avid Life Media), must pay $1.6 million in charges as a result of the breach.
The company must also implement a comprehensive data security plan.
The FTC, which called it the "largest data breach" that it has investigated to date, accused the company of deceiving and failing to protect 36 million users from 46 different countries.
According to the FTC complaint, the website had no written information security policy, no reasonable access controls, inadequate security training of employees, and no way to monitor the effectiveness of their systems.
The company was also found to have created bots and fake personas in order to draw free users into paying for account.
"The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users' personal information from criminal hackers going forward," said Edith Ramirez, FTC chairwoman.
The agency worked with 13 states, including Vermont, in order to bring the charges.
"Creating fake profiles and selling services that are not delivered is unacceptable behavior for any dating website," said William Sorrell, Vermont's attorney general. "I was pleased to see the FTC and the state attorneys general working together in such a productive and cooperative manner. Vermont has a long history of such cooperation, and it's great to see that continuing."