So far we’ve seen issues with default passwords, data storage, and software life cycle management. Whether a business ignores Windows updates, or even maintaining security for bespoke setups and software, the possibility of falling victim to an attack can only ever go up as time passes.
Instead, OneMain used a non-formalized project administration framework it had developed in-house that failed to address certain key software development life cycle phases, a consequence of which was increased vulnerability to cybersecurity events.įailing to have any sort of coherent strategy for software life cycles is never going to end well. The Department’s investigation further found that OneMain’s application security policy lacked a formalized methodology addressing all phases of the company’s software development life cycle. Add to this that access restrictions were not good enough, and you have a recipe for disaster. Use of default passwords is bad enough, but SC Magazine also notes that a file containing passwords was stored in a folder named “PASSWORDS”. OneMain permitted local administrative users to share accounts, compromising the ability to identify malicious actors, and also permitted those accounts to use the default password provided by OneMain at the time of user onboarding, increasing the risk of unauthorized access. Going back to the release for some examples: Unfortunately for OneMain, the New York State investigation highlighted several major issues which resulted in the eventual settlement. OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events. …OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500). These requirements include that best practices are evident at all times to ensure both consumer data and internal systems are safe from harm. The business is a licensed lender and mortgage servicer and as SC Magazine notes, financial entities should adhere to a framework of security requirements. OneMain experienced “at least” three security incidents over three years, from 2018 to 2020. The fines, coming at the end of a detailed investigation into how security practices at the company were determined to be below-par, serve as a timely warning to other organisations.
A series of security errors and mishaps has cost personal loan provider OneMain $4.25m in penalties, issued by the New York State department of financial services.
0 kommentar(er)
