WASHINGTON (3/3/16)--Online payment platform Dwolla was hit with a $100,000 penalty, the Consumer Financial Protection Bureau (CFPB) announced Wednesday, stemming from alleged misrepresentation of Dwolla’s data security practices.
The Des Moines, Iowa-based Dwolla has collected and stored sensitive personal information since December 2009 as part of their online payment system services.
For each account, Dwolla collects personal information including the consumer’s name, address, date of birth, telephone number, Social Security number, bank account and routing numbers, a password, and a unique 4-digit PIN. As of May 2015, it had more than 650,000 users and had transferred as much as $5 million per day.
From December 2010 until 2014, Dwolla claimed to protect consumer data from unauthorized access with “safe” and “secure” transactions. On its website and in communications with consumers, Dwolla claimed its data security practices exceeded industry standards and were Payment Card Industry Data Security Standard compliant, and that it encrypted all sensitive personal information and that its mobile applications were safe and secure.
Contrary to its claims, Dwolla failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access. Dwolla did not encrypt some sensitive consumer personal information, and released applications to the public before testing whether they were secure.
In addition to the $100,000 penalty, Dwolla is required to stop misrepresenting its data security practices, train its employees properly and fix its security flaws.