.png)
.png)
A mortgage servicer has agreed to pay $4.25 million to settle charges that it exposed customer information to hackers by failing to establish required safeguards under New York's cybersecurity statute.
The New York State Department of Financial Services (NYDFS) stated in a consent order agreed to with the company and signed off on Wednesday that OneMain Financial Group did not comply with requirements needed by New York's 2017 Cybersecurity Regulation.
The specifics: According to the NYDFS, OneMain had written rules for doing due diligence on third parties, as required by the regulation, but did not follow them. According to the NYDFS, one result of this mistake was that from December 2017 to January 2018, a vendor that processed debit card payments for OneMain inadvertently offered some consumers access to the personal data of other customers.
According to the agency, OneMain also failed to alter risk rankings for vendors when necessary.
According to the NYDFS, the corporation permitted administrators to keep default passwords and share accounts, compromising its capacity to detect attacks and identify fraudulent persons.
"This settlement demonstrates the department's ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers, such as OneMain, in taking all actions necessary to protect the data of New Yorkers," said Adrienne Harris, superintendent of the NYDFS, in a press release.
Considerations for compliance: OneMain committed to conduct a few corrective tasks within 180 days and produce written documentation of completion to the NYDFS during the next 60 days.
Among the duties include developing written policies and procedures to protect the company's and mortgage applicants' data, addressing business continuity and disaster recovery planning, and implementing a plan to review user access credentials.
The NYDFS praised OneMain for their collaboration, the provision of "significant" financial resources to remediation, and ongoing efforts to address the highlighted inadequacies.
Company response: “OneMain is committed to being a leader in cybersecurity and will continue our substantial investments in our cybersecurity and data protection programs,” the company said in an emailed statement. “We are pleased to have resolved this historical matter relating primarily to a past examination of our policies from 2017 to early 2020, which the company has long since addressed. Cybersecurity is an evolving area, and we intend to continue our focus on enhancing our capabilities to meet risks as they arise in the future, in accordance with best practices for our industry and in cooperation with our regulators.”
By fLEXI tEAM