The cheater dating website Ashley Madison, which got hacked and exposed the secret lives of millions of Americans, has agreed to a $1.7 million settlement with several U.S. states and the federal government.
The settlement, announced Wednesday by New York State Attorney General Eric Schneiderman, is a scathing admission of fraudulent business practices.
Government investigators in New York State and elsewhere found that Ashley Madison created fake dating profiles that duped customers.
And as CNNMoney has revealed in the past the company kept on file the sensitive information of long-gone customers — such as their names, contact information, and sexual preferences — even though those people had paid $19 for a “full delete” of their profiles.
New York investigators detailed additional deceptive practices, including claiming it had earned “a ‘Trusted Security Award,’ which appears to have been fabricated.”
It was also cited for the “use of an emblem indicating ‘Certified Zero Risk TM,’ which had not been awarded by any certification entity; and representations that it was a ‘100% Discreet Service’ and ‘100% Secure.'”
In the settlement, Ashley Madison agreed to pay $1.65 million that will be divided among 13 states and the Federal Trade Commission.
The government initially sought a $17.5 million penalty, but agreed to the lower amount because Ashley Madison’s parent company, “Ruby Corp.’s inability to pay,” according to New York State investigators.
The company had changed its name in July from Avid Life Media when it launched a corporate makeover.
“This settlement should send a clear message to all companies doing business online that reckless disregard for data security will not be tolerated,” Schneiderman said in a statement.
More than 652,000 New York residents were members of Ashley Madison at the time of the security breach, according to state investigators.
Ashley Madison did not immediately return calls for comment.
The 2015 hack revealed extremely sensitive personal information and led to at least one suicide.
In addition to monetary penalties, the Ruby Corp. agreed to “cease engaging in certain deceptive practices, to not create fake profiles, and to implement a stronger data security program,” according to New York officials.
Other states involved in the lawsuit were Alaska, Arkansas, Hawaii, Louisiana, Maryland, Mississippi, North Dakota, Nebraska, New York, Oregon, Rhode Island, Tennessee, Vermont, and the District of Columbia.
The company still faces the prospect of a class action lawsuit by angry customers.