A series of security errors and mishaps has cost personal loan provider OneMain $4.25m in penalties, issued by the New York State department of financial services. The fines, coming at the end of a detailed investigation into how security practices at the company were determined to be below-par, serve as a timely warning to other organisations.

OneMain experienced “at least” three security incidents over three years, from 2018 to 2020. The business is a licensed lender and mortgage servicer and as SC Magazine notes, financial entities should adhere to a framework of security requirements. These requirements include that best practices are evident at all times to ensure both consumer data and internal systems are safe from harm. From the DFS release:

…OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500). OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.  

Unfortunately for OneMain, the New York State investigation highlighted several major issues which resulted in the eventual settlement. Going back to the release for some examples:

…OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access.

Use of default passwords is bad enough, but SC Magazine also notes that a file containing passwords was stored in a folder named “PASSWORDS”. Add to this that access restrictions were not good enough, and you have a recipe for disaster.

The release continues:

The Department’s investigation further found that OneMain’s application security policy lacked a formalized methodology addressing all phases of the company’s software development life cycle. Instead, OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases, a consequence of which was increased vulnerability to cybersecurity events. 

Failing to have any sort of coherent strategy for software life cycles is never going to end well. Whether a business ignores Windows updates, or even maintaining security for bespoke setups and software, the possibility of falling victim to an attack can only ever go up as time passes.

So far we’ve seen issues with default passwords, data storage, and software life cycle management. This alone would be bad enough. However, the next issue pulled up as evidence of the fine-worthy practices may well be the worst of the bunch. We go once more to the release:

OneMain did not conduct timely due diligence for certain high- and medium-risk vendors, despite the existence of a third-party vendor management policy requiring that each vendor undergo an assessment to determine the vendor’s risk rating and the appropriate level of due diligence OneMain should perform on the vendor. OneMain further failed to appropriately adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of non-public information and poor cybersecurity controls.

What this means is that OneMain worked with various third-party vendors without doing their due diligence in terms of potential security threats. This is despite many of the vendors being flagged as medium to high risk.

With all of this in mind, it’s perhaps easy to see why the New York State DFS started down the road to such a fine. Even so, The Record notes that OneMain reported $1.09 billion in revenue for the first quarter of 2023. While we can ponder if a few million in fines makes much of a difference overall, OneMain has agreed to “engage in further significant remediation measures”. It remains to be seen what the consequences will be should they not stick to the plan.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.