On January 23, 2025, the New York Department of Financial Services (DFS) announced that it reached a $2,000,000 settlement as part of a broader consent order with a peer-to-peer payment platform (“P2P”) about its cybersecurity practices. DFS contended that the P2P violated rules on Cybersecurity Policy, Cybersecurity Personnel and Intelligence, and Multi-Factor Authentication (MFA) after DFS’s investigation into a December 2022 security event.
A security analyst at the P2P discovered a security event on December 6, 2022, which spurred DFS’s investigation. According to DFS, the P2P discovered that the Form 1099-Ks, a type of tax form available on the P2P’s online platform, contained unmasked consumer information, including names, dates of birth, and full SSNs. Per DFS, this vulnerability stemmed from a feature that was recently deployed for tax purposes. The next day, there allegedly was a spike in attempts to access the P2P’s online platform.
DFS identified alleged deficiencies in three areas of the P2P’s cybersecurity program: policy, personnel and intelligence, and MFA. First, the P2P’s policy required new features to be tested; however, this was not implemented properly. The Form 1099-K feature was updated, but engineering teams allegedly misclassified the code change, which resulted in the requisite testing being skipped. The second deficiency, personnel and intelligence, allegedly tied directly to the policy breach. Per DFS, in not properly training the engineering team on the P2P’s policies, the P2P enabled the feature to be deployed without testing. Lastly, the P2P was obligated to use MFA per DFS’s Cybersecurity Regulation, but the MFA feature was allegedly optional for consumers. Per DFS, the security event could have been mitigated if consumers could deny sign-in to threat actors attempting to exploit the bug.
The P2P cooperated with the investigation and rapidly addressed these concerns, drawing praise from DFS. According to DFS, the P2P’s good-faith investigation, its cooperation and the gravity of the incident, and the public interest factored into the penalty assessment.
[View source.]
