In its first enforcement action over data security, the Consumer Financial Protection Bureau has accused startup Dwolla of making false claims about the safety of its online payment system.
Dwolla agreed to pay $100,000 to settle the CFPB’s charges it misrepresented the effectiveness of its data-security practices, telling consumers it set “a new precedent for the industry for safety and security” when, according to the bureau, it actually “failed to employ reasonable and appropriate measures to protect [consumers’] data … from unauthorized access.”
Among other things, Dwolla allegedly failed to use encryption technologies, test the security of apps it released to the public, and educate staff about the dangers of phishing.
“With data breaches becoming commonplace and more consumers using these online payment systems, the risk to consumers is growing,” CFPB Director Richard Cordray said in a news release. “It is crucial that companies put systems in place to protect this information and accurately inform consumers about their data security practices.”
As part of a consent order, Dwolla also agreed to fix its security flaws and make other improvements. “We may not have chosen the best language and comparisons to describe some of our capabilities,” the company said in a blog post. “It has never been the company’s intent to mislead anyone on critical issues like data security.”
Since its launch more than five years ago, the company said, it “has not detected any evidence of or indicators of a data breach.”
Dwolla, which had more than 650,000 customer accounts and transferred as much as $5 million a day as of May 2015, is among a growing number of online payment services, competing with the likes of Square and PayPal’s Venmo unit.
According to the CFPB, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions but its “data security practices in fact fell far short of its claims,” violating the Consumer Financial Protection Act.
The consent order said Dwolla not only did not encrypt consumers’ personal information but also encouraged users to submit sensitive data via email in clear text.
Featured image: Thinkstock