The owners of dating site Ashley Madison have been fined $1.6 million over a data breach in 2015 that exposed the details of 36 million users.
The Federal Trade Commission (FTC) levelled the fine over several poor practices at Ashley Madison, including a lack of a written information security policy.
Ashley Madison also did not have in place reasonable user access controls, adequate security training of employees, knowledge of third party security practices or measures to monitor the effectiveness of its own security practices.
The site was reportedly breached several times between November 2014 and June 2015, with the lax security practices preventing the operators from realising.
This paved the way for the July 2015 breach that led to the account information being published online by hackers, including information that users had paid to have fully purged from the site.
The FTC also criticised the fact that many customers on Ashley Madison were lured by fake profiles.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC Chairwoman Edith Ramirez.
“The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better-protect its users’ personal information from criminal hackers going forward.”
Compared to the scale of the breach and the severity of the FTC claims, the fine is fairly low. This is due to the financial situation of the Ashley Madison owners.
However, the court also imposed a further $8.75 million fine that would be partially suspended upon payment of $828,500. If the Ashley Madison operators are found to have misrepresented their finances, this total will become due.
The investigation involved the Australian and Canadian authorities.
The news comes as Yahoo discloses the details of another data breach dating back to 2013 which may have affected more than one billion user accounts. This breach is believed to be separate to the 2014 breach revealed in September where 500 million accounts had been accessed.