New York regulators fine OneMain $4.25 million over cybersecurity practices

The New York State Department of Financial Services issued a $4.25 million penalty against OneMain Financial Group on Wednesday after finding that the subprime lender maintained poor cybersecurity practices, such as allowing employees and other trusted users, including vendors, to use default passwords on accounts with access to private customer information.

In its Thursday morning announcement about the penalty, the department said OneMain also failed to effectively manage risks posed by third-party service providers, manage access privileges and maintain a formal application security development methodology, in violation of the department's cybersecurity regulations.

The penalty came after an examination by the department of the cybersecurity policies that OneMain maintained from December 2016 to the end of March 2020. During that period, the department found at least three instances of data breaches at OneMain.

Adrienne Harris, New York banking superintendent, said the settlement with OneMain "demonstrates the department's dedication to upholding the responsibility of licensees," particularly when they have access to New Yorkers' personal financial information.

Cyber security

Should N.Y.'s strict cybersecurity rule be a model for the country?

As the state phases in tougher requirements from its 2017 regulation, federal agencies continue to show an interest in updating their cyber policies.

By Rachel Witkowski

August 17

A spokeswoman for OneMain said the company was "pleased to have resolved this historical matter," which it "has long since addressed." She said OneMain is "committed to being a leader in cybersecurity" and would continue investing in its data protection programs.

"Cybersecurity is an evolving area, and we intend to continue our focus on enhancing our capabilities to meet risks as they arise in the future, in accordance with best practices for our industry and in cooperation with our regulators," the spokeswoman said.

The spokeswoman acknowledged that OneMain did permit employees to share privileged accounts that had access to customer information and that these accounts were allowed to use the default passwords they were initially set up with. These risks "resulted in zero customer harm," she said.

OneMain, which the department said in the consent order had $4.37 billion in annual revenue and 2.45 million customer accounts in 2021, acknowledged that it has suffered multiple cybersecurity incidents and data breaches in recent years. In 2018 alone, the company suffered at least four data privacy incidents.

One of these incidents involved only one person's private information, according to a nonprofit that tracks data privacy incidents. Another involved hackers compromising OneMain customer emails to access their account information, according to notices sent to New Jersey customers. The department outlined two other incidents from 2018 and one from 2020 in the consent order against OneMain.

The OneMain spokeswoman said of the data privacy incidents it had suffered since 2018, "we are not aware of any customers who were harmed by any of these incidents." However, OneMain has sent notices to customers telling them that their personal information had been compromised on at least two occasions since 2018.

One set of notifications went to New Jersey residents in 2018; the other set went to California residents in 2022. The company did not specify how many customers received these letters.

In addition to the $4.25 million penalty it will pay, OneMain must also write policies designed to remediate the cybersecurity shortcomings identified in the consent order and, once executed, submit a report to the department to prove it had done so.