The owner of hacked infidelity website Ashley Madison will pay a sharply discounted US$1.66 million penalty to settle an investigation by the US Federal Trade Commission and several US states into lax data security and deceptive practices, the company and authorities said on Wednesday.
The remainder of a US$17.5 million settlement was suspended based on privately held Ruby Corp's inability to pay.
"I recognise that it was a far lower number frankly than I would have liked," FTC chairwoman Edith Ramirez said on a call with reporters. "We want them to feel the pain. We don’t want them to profit from unlawful conduct. At the same time, we are not going to seek to put a company out of business."
The size of the payment means that Ashley Madison's customers will not receive any financial redress for the breach, which exposed the personal details of more than 36 million people who signed up for the site with the slogan "Life is short. Have an affair".
Class-action lawsuits against the company are pending.
The joint investigation, which also included authorities in Australia and Canada, found the Toronto-based company's lax security practices allowed intruders access to its computer networks several times between November 2014 and June 2015 without being discovered.
The investigation also found that Ruby, as the company previously known as Avid Life Media has rebranded itself, created fake female profiles to lure men into paying for conversations and retained user information even after customers had paid for a service to "remove all traces of your usage."
The company first disclosed it was the target of an FTC investigation in a Reuters interview in July. At that time it said it was likely to collect US$80 million in revenue in 2016 and had US$50 million to spend on acquisitions.
Top executives on Wednesday declined to update that outlook and said they had spent millions of dollars to beef up security.
"The company is stable. We're very pleased with the outcome," said Rob Segal, who took over as chief executive earlier this year. Founder Noel Biderman left the company soon after almost 10 gigabytes of its data was leaked in several stages in mid-2015.
The company has offered a free delete function since September 2015, when it discontinued the paid feature.
Avid shut down the fake profiles in the United States, Canada and Australia in 2014 and by late 2015 in the rest of the world, but some US users had message exchanges with foreign fembots until late in 2015, according to an Ernst & Young report commissioned by the company.
Another site, JDI Dating, paid $616,165 in redress for similar fake profile practices in an October 2014 settlement with the FTC.
(Editing by Alan Crosby)