The New York State Department of Financial Services issued a $4.25 million penalty against OneMain Financial Group on Wednesday after finding that the subprime lender maintained poor cybersecurity practices, such as allowing employees and other trusted users, including vendors, to use default passwords on accounts with access to private customer information.
In its Thursday morning
The penalty came after an examination by the department of the cybersecurity policies that OneMain maintained from December 2016 to the end of March 2020. During that period, the department found at least three instances of data breaches at OneMain.
Adrienne Harris, New York banking superintendent, said the settlement with OneMain "demonstrates the department's dedication to upholding the responsibility of licensees," particularly when they have access to New Yorkers' personal financial information.
As the state phases in tougher requirements from its 2017 regulation, federal agencies continue to show an interest in updating their cyber policies.
A spokeswoman for OneMain said the company was "pleased to have resolved this historical matter," which it "has long since addressed." She said OneMain is "committed to being a leader in cybersecurity" and would continue investing in its data protection programs.
"Cybersecurity is an evolving area, and we intend to continue our focus on enhancing our capabilities to meet risks as they arise in the future, in accordance with best practices for our industry and in cooperation with our regulators," the spokeswoman said.
The spokeswoman acknowledged that OneMain did permit employees to share privileged accounts that had access to customer information and that these accounts were allowed to use the default passwords they were initially set up with. These risks "resulted in zero customer harm," she said.
OneMain, which the department said in the consent order had $4.37 billion in annual revenue and 2.45 million customer accounts in 2021, acknowledged that it has suffered multiple cybersecurity incidents and data breaches in recent years. In 2018 alone, the company suffered at least four data privacy incidents.
One of these incidents involved
The OneMain spokeswoman said of the data privacy incidents it had suffered since 2018, "we are not aware of any customers who were harmed by any of these incidents." However, OneMain has sent notices to customers telling them that their personal information had been compromised on at least two occasions since 2018.
One set of notifications went to
In addition to the $4.25 million penalty it will pay, OneMain must also write policies designed to remediate the cybersecurity shortcomings identified in the consent order and, once executed, submit a report to the department to prove it had done so.