Online payment platform Dwolla has been ordered by the Consumer Financial Protection Bureau (CFPB) to pay a $100,000 fine for deceiving consumers about its data security practices and the safety of its online payment system.
US-based has been operating since late 2009 and now has over 650,000 users who, in order to use the service, have to share sensitive personal and financial information with the company through its website and mobile apps.
“From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with ‘safe’ and ‘secure’ transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant. They claimed also that they encrypted all sensitive personal information and that its mobile applications were safe and secure,” the CFPB noted.
“But rather than setting ‘a new precedent for the payments industry’ as asserted, Dwolla’s data security practices in fact fell far short of its claims. Such deception about security and security practices is illegal.”
So what did Dwolla do? According to the CFPB, the company did not employ “appropriate measures to protect data obtained from consumers from unauthorized access,” it claimed that the collected information is securely encrypted and stored when it wasn’t, and its applications weren’t tested for security before being released to the public.
More details about this can be found in the actual order, but include things like encouraging consumers “to submit sensitive information via e-mail in clear text, including Social Security numbers and scans of driver’s licenses, utility bills, and passports, in order to expedite the registration process for new users,” and not conducting mandatory employee data security trainings until mid-2014.
Aside from paying the aforementioned fine, the company has also been ordered to fix its security procedures (train employees properly, fix security flaws in its web and mobile apps, securely store and transmit customer data, implement a program of risk assessments and audits) and to “stop deceiving consumers about the security of its online payment system.”
Dwolla’s reaction was to publish a blog post explaining all the security measures currently in place when it comes to data protection, and not mentioning with one word the order by the CFPB.
After describing itself as a “young company trailblazing new technologies, possibilities, and concepts in payment,” the only concession to the claim that they might have deceived its users is this paragraf:
“Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities. It has never been the company’s intent to mislead anyone on critical issues like data security. For any confusion we may have caused, we sincerely apologize.”
They went on to says that since its launch, “Dwolla has not detected any evidence or indicators of a data breach, nor has Dwolla received a notification or complaint of such an event.”