Dwolla, a payments startup, used to say it was setting “a new precedent for the payments industry” when it came to data security.
Oops.
The Des Moines, Iowa-based company was hit with a $100,000 fine from the Consumer Financial Protection Bureau (CFPB) over data security issues, the CFPB announced yesterday (March 2).
From December 2010 to 2014, Dwolla told customers that its data security was better than industry standards, that the company encrypted all sensitive personal information, and that mobile apps that use Dwolla would be secure, too.
But the CFPB says that Dwolla didn’t encrypt all of its customers’ personal data, didn’t “exceed” or “surpass” industry standards, and didn’t meet the Payment Card Industry Data Security Standard—which focuses on data security.
It’s the first case where the CFPB has cracked down on data security, and one of the rare fines levied on fintech companies in general. The CFPB recently announced a new policy where startups can apply for a no-action letter, which essentially protects startups from regulatory scrutiny for a period of time. The regulatory agency did fine PayPal $10 million over concerns about its credit product in May 2015.
Dwolla responded to the complaints with a lengthy blog post outlining its current security protocols.
The regulator also noted that Dwolla didn’t do a great job of educating employees about security, either. According to a copy of the complaint, the payments startup issued a security test by a third-party company in December 2012, where employees would be sent a phishing email with a suspicious URL inside.
“Nearly half of Respondent’s employees opened the e-mail, and of those, 62% of employees clicked on the URL link. Of those that clicked the link, 25% of employees further attempted to register on the phishing site and provided a username and password,” the complaint read.
Phishing attacks have caused major hacks recently, including the Sony cyberattack.