DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

CFPB fines start-up Dwolla $100,000 for misrepresenting its data security

Posted on March 3, 2016 by Dissent

It’s not just the FTC looking at your security and your representations to clients about the security of your product. While the FTC recently settled charges against Henry Schein Practice Solutions for advertising a Dentrix product as providing “encryption” when it didn’t,  the Consumer Financial Protection Bureau is also taking aim at companies that mislead consumers about security, as Alistair Gray reports on Financial Times:

A financial technology start-up has been fined $100,000 for deficiencies in its cyber defence systems in a sign that new online payment networks are facing tougher scrutiny from regulators.

The Consumer Financial Protection Bureau on Wednesday handed its first penalty for data security shortcomings to Dwolla, an ecommerce company that is little more than five years old.

Here is the text of the CFPB’s statement announcing the fine:

CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices

Payment Processor Deceived Consumers About the Data Security Risks of Using Its Online System

WASHINGTON, D.C. – The Consumer Financial Protection Bureau today took action against online payment platform Dwolla for deceiving consumers about its data security practices and the safety of its online payment system. The CFPB ordered Dwolla to pay a $100,000 penalty and fix its security practices.

“Consumers entrust digital payment companies with significant amounts of sensitive personal information,” said CFPB Director Richard Cordray. “With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing. It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”

Dwolla, Inc., based in Des Moines, Iowa, operates an online payment system. Since December 2009, Dwolla has collected and stored consumers’ sensitive personal information and provided a platform for financial transactions. As of May 2015, it had more than 650,000 users and had transferred as much as $5 million per day. For each account, Dwolla collects personal information including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN.

From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure.

But rather than setting “a new precedent for the payments industry” as asserted, Dwolla’s data security practices in fact fell far short of its claims. Such deception about security and security practices is illegal. Specifically, the CFPB found, among other issues, that Dwolla misrepresented its data-security practices by:

  • Falsely claiming its data security practices “exceed” or “surpass” industry security standards: Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.
  • Falsely claiming its “information is securely encrypted and stored”:Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.

Enforcement Action

Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive or abusive acts or practices, or that otherwise violate federal consumer financial laws. This is the Bureau’s first data security action, and builds off advances made by several other agencies. Under the terms of the order, Dwolla is required to:

  • Stop misrepresenting its data security practices: Dwolla must stop deceiving consumers about the security of its online payment system and enact comprehensive data security measures and policies, including a program of risk assessments and audits.
  • Train employees properly and fix security flaws: Dwolla must train employees on the company’s data security policies and procedures, and on how to protect consumers’ sensitive personal information. Dwolla must also fix any security weaknesses found in its web and mobile applications, and securely store and transmit consumer data.
  • Pay a $100,000 civil money penalty: Dwolla must pay a $100,000 penalty to the CFPB’s Civil Penalty Fund.

The CFPB’s order is found at: http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf

No related posts.

Category: Financial SectorOf NoteU.S.

Post navigation

← PA: FBI investigates Main Line Health Spear Phishing Incident (UPDATED)
MTISC-GOG investigation finds no evidence of breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.