OneMain pays $4.25M after ignored security flaws caused data breaches

OneMain Financial experienced at least three lengthy cybersecurity events between 2018 and 2020 brought on by a host of security program and access control failures that made it “more vulnerable to instances of unauthorized access,” according to the audit findings from the New York Department of Financial Services.

Superintendent of Financial Services Adrienne A. Harris announced on May 25 that OneMain Financial will pay the state regulator a $4.25 million penalty to resolve the violations found during a routine DFS audit.

The failures were tied to multiple cybersecurity incidents.

In one example, DFS reported that from Dec. 29, 2017, through Jan. 9, 2018, a third-party vendor tasked with processing and managing online debit card payments gave some users unauthorized access to other customers’ NPI. The incident was deemed to be caused by the vendor failing to purge old customer account numbers before assigning the numbers to new accounts.

Again in 2018, a hacker accessed the emails of OneMain’s collections law firm, which contained customer identifiers. Then on July 10, 2020, OneMain sent a link through its online portal that contained code tied to hundreds of customers, as part of the first stage of a software update.

“Such code should have been thread safe, i.e., designed and tested to ensure it performs only as intended,” according to DFS findings. “This code was not thread-safe, however, and certain customers who logged into their accounts were unintentionally migrated to other account holders’ documents.”

Under the 2017 DFS Cybersecurity Regulation, financial entities are required to adhere to a framework of security requirements that ensure companies are employing best practice measures to protect their information systems and consumer data from security risks.

The cybersecurity regulation requires entities to limit user access privileges for systems that contain consumer data and periodically review access privileges. 

Audits found deficient cybersecurity program at OneMain

An audit into OneMain found the company failed to adequately manage third-party service provider risk and access privileges, and didn’t maintain a formal security development methodology for applications. Not only that, but the company’s own security found a host of vulnerabilities and security issues, but failed to remediate these issues.

DFS also found deficiencies in OneMain’s cybersecurity program, which had not been found during its own internal audit unit.

OneMain’s internal audit team found a host of issues tied to user access privileges in 2018 and 2019, through six manually conducted privilege access reviews. The manual nature of the audit introduced “a high risk of human error that is unacceptable for a network with hundreds of applications and more than 11,000 users.”

The company’s audit team also discovered local administrative users were sharing accounts, making it difficult, if not impossible, to identify malicious actors. OneMain also allowed accounts to use default passwords provided by OneMain to users during onboarding, increasing the risk of unauthorized access.

The internal audit also found passwords were being stored on shared drives and without adequate access restrictions. And though “the file containing the passwords was encrypted and password-protected, it was stored in a folder named ‘PASSWORDS.’”

“Anyone with access to that internal shared drive, which included personnel in OneMain’s call center, could rename, move, or delete the folder,” according to DFS findings. The lack of protection could give a malicious actor easy access to the company’s information systems.

Outside of the identity and access management flaws, DFS uncovered laundry list of vulnerabilities in OneMain’s application security program, cybersecurity training for workforce members, and its security policy for third-party vendors.

The vendor issues, including a lack of “appropriate level of due diligence,” saw the company relying on at least eight business partners deemed high-risk and medium-risk. In multiple instances, DFS found OneMain allowed a vendor to begin work, even after making those risk-based determinations.

What’s more, “OneMain failed to appropriately adjust the risk scores of several vendors after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of NPI and poor cybersecurity controls,” according to DFS. “Instead, OneMain simply terminated its relationship with each of the vendors and… without… enhancing its own third-party service policies.

Harris said the OneMain settlement is intended to demonstrate DFS’ commitment to upholding its 2017 regulation, particularly companies with access to the financial data of consumers and will take “all actions necessary to protect the data of New Yorkers.”