Lender OneMain fined $4.25 million for cybersecurity lapses
OneMain Financial Group, which specializes in issuing loans to people with “nonprime” credit histories, will pay a $4.25 million penalty in New York state for cybersecurity lapses found during a government investigation.
“OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events,” the state Department of Financial Services (DFS) said in an announcement Thursday.
The DFS investigation found, for example, that the company allowed local administrative users to share accounts and permitted those accounts to use the default password that users got when they were onboarded.
Other documented lapses include problems with application security.
“OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases,” the department said.
The company also did not assess third-party vendors properly, despite having a policy in place for determining their risk ratings, DFS said.
“OneMain further failed to appropriately adjust several vendors’ risk scores even after the occurrence of multiple cybersecurity events precipitated by the vendors’ improper handling of non-public information and poor cybersecurity controls,” the department said.
In a response cited by Compliance Week, the Evansville, Indiana-based company said it has “long since addressed” problems found in the investigation, which examined its policies from 2017 to early 2020.
“Cybersecurity is an evolving area, and we intend to continue our focus on enhancing our capabilities to meet risks as they arise in the future, in accordance with best practices for our industry and in cooperation with our regulators,” the company said.
OneMain reported revenues of $1.09 billion for the first quarter of 2023. The company specializes in helping customers who might not be able to get loans with other lenders.
DFS and the state attorney general’s office have been aggressive in pursuing cybersecurity settlements from companies that operate in New York. Recent examples include a case with insurer EyeMed and the parent company of retailer SHEIN in 2022. This week alone, the attorney general fined a sporting goods retailer and a medical management company for data protection lapses.
Joe Warminsky is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.