The owner of hacked infidelity website Ashley Madison will pay $1.66 million to settle an investigation by the U.S. Federal Trade Commission and several U.S. states into lax data security and deceptive practices, the company and authorities said on Wednesday.
The remainder of a $17.5 million settlement was suspended based on privately-held Ruby Corp.’s inability to pay, the office of New York Attorney General Eric T. Schneiderman said in a statement.
The company first disclosed it was the target of an FTC investigation in a Reuters interview in July.
The agreement follows investigations by the FTC, 13 states and the District of Columbia, which found the company had lax security practices in place at the time of the July 2015 breach, which exposed the personal details of millions of people who signed up for the site with the slogan “Life is short. Have an affair”.
The Federal Trade Commission, which was lead on the case, said that the company failed to protect 36 million user accounts while advertising that the cheating site was secure.
“This case represents one of the largest data breaches that the FTC has investigated to date,” said FTC Chairwoman Edith Ramirez. “The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users’ personal information from criminal hackers.”
The investigation also found that Ruby, as the company previously known as Avid Life Media has rebranded itself, created fake female profiles to lure men into paying for conversations and retained user information even after customers had paid for a service to “remove all traces of your usage.”
Get Data Sheet, Fortune’s technology newsletter.
A spokeswoman said Ruby, which neither admitted nor denied the allegations, has committed to maintain a comprehensive information security program and not repeat prior, potentially misleading, practices.
The company has offered a free delete function since September 2015, when it discontinued the paid feature.
A prior joint investigation by privacy commissioners in Canada and Australia said Ashley Madison had violated the privacy laws of both countries.
Avid shut down the fake profiles in the United States, Canada, and Australia in 2014 and by late 2015 in the rest of the world, but some U.S. users had message exchanges with foreign fembots until late in 2015, according to an Ernst & Young report commissioned by the company.
Another site, JDI Dating, paid $616,165 in redress for similar practices in an October 2014 settlement with the FTC.