The New York State Department of Financial Services has fined OneMain Financial $4.25 million for violating the state’s cybersecurity regulations by failing to manage third-party service provider risk, access privileges, and for failing to maintain a formal application security development methodology.
A copy of the consent order can be accessed by clicking here.
Back in 2018 and 2019, the company’s internal audit team found that users were sharing accounts and still using the default passwords that were provided to them when they were hired. Passwords were stored on shared drives, and even though the file was encrypted and password-protected, it was still stored in a folder named PASSWORDS. Anyone with access to the shared drive could have renamed, moved, or deleted the folder, according to DFS. The company was also found to not have sufficient formalized methodology for project administration frameworks, and that it was not providing secure coding training for programmers or not tracking or implementing training for the 500 employees in its IT department. OneMain was also not conducting timely due diligence for certain high-risk and medium-risk vendors, and in some cases, allowed vendors to start working for OneMain prior to the completion of an onboarding security questionnaire. The company also failed to monitor vendors, some of whom had instances where unauthorized users gained access to customer information.
Along with paying the fine, OneMain must:
- Implement a written policy to address Business Continuity and Disaster Recovery planning and the maintenance of documentation;
- Implement a plan to properly review and maintain user access privileges;
- Maintain and implement written policies and procedures for the protection of the Company’s Information Systems and the NPI stored on those Information Systems during application development;
- Implement training procedures sufficient to address relevant cybersecurity risks and verify that key cybersecurity personnel have completed training sufficient to maintain current knowledge of changing cybersecurity threats and countermeasures; and
- Update its policies and procedures to ensure protection of NPI that is accessible to, or held by, third parties