CFPB fines Dwolla for misrepresenting data security practices

Digital payments outfit Dwolla has been slapped with a $100,000 fine by a US watchdog for "deceiving" consumers about its data security practices.

Dwolla stores personal information - including names, addresses, dates of birth, telephone numbers, Social Security numbers, bank account and routing numbers, passwords, and unique 4-digit PINs - for some 650,000 customers.

According to the Consumer Financial Protection Bureau (CFPB), from December 2010 until 2014 the firm boasted on its website that its data security practices exceeded industry standards and were PCI DSS compliant, with all sensitive information encrypted.

But Dwolla's actual practices "fell far short of its claims," says the CFPB and "such deception about security and security practices is illegal".

In addition to the fine, the CFPB has ordered Dwolla - which neither admitted nor denied the charges - to stop misrepresenting its security practices, train employees properly and fix weaknesses in its web and mobile applications.

In a blog alluding to but not directly mentioning the CFPB ruling, Dwolla stresses that it has never found evidence that it has suffered a data breach, adding that it has "continuously matured our data security practices" and has "never been more proud of our information security policies, procedures, and technologies".