A Silicon Valley tech company backed by rapper Nas was hit by a security breach earlier this year that revealed it had been lax with users’ sensitive personal information, including bank account numbers, The Post has learned.
Earnin, which is also backed by tech investor Andreesen Horowitz, discovered in February that a third-party security firm had accessed customers’ bank transactions — including all their debit card purchases and payment statements going back for months, the company confirmed to The Post.
The incident prompted Earnin executives to shore up their security generally. They found major weaknesses, sources said. Prior to the breach, for example, the Palo Alto company kept customers’ unencrypted bank account and routing numbers, home and work addresses, phone ID numbers, and users’ GPS coordinates on an internal server, two ex-employees said.
The former employees said the data had been left unprotected because of a practice by Earnin’s developers to copy-and-paste customer information from a more secure server used for running the app into a less secure server used for testing it.
“It’s something in the water in San Francisco, the whole ‘move fast and break things’ mentality,” one ex-employee told The Post.
“On the account number and routing number, it is true that [they were] being stored in plain text,” the ex-staffer said.
“It was something we were intending to change, but I guess the thought process was that our system was secure enough that this was going to be all right.”
Earnin confirmed that a “white-hat,” or non-malicious, security firm had accessed the bank transactions data in February, It said it hired a cybersecurity firm to review the incident and has since taken corrective action.
“Since discovering the incident, Earnin has further strengthened its systems and procedures to prevent this from happening again,” an Earnin spokeswoman said.
The company also claims that no customer data was misused. “Following a comprehensive forensic review, the cybersecurity firm did not identify evidence of unauthorized changes,” the spokeswoman said.
The data was not downloaded or changed beyond what the security firm accessed, she added.
Earnin, run by CEO Ram Palaniappan, offers as much as $1,000 a pay cycle for users in cash advances — a financial product that’s being investigated by a group of 11 states, led by the New York Department of Financial Services, for potentially breaking state usury and payday lending laws.
The white-hat breach was discovered in February after an employee noticed an online post by the security firm referencing an easy-to-access server operated by Earnin, a former staffer said.
In the months that followed, Earnin executives scrambled to plug any remaining holes, internal documents show.
“I hope during Q2 we can get a plan as a company on best practice for protecting data and come to a shared definition of what ‘Protected data’ really means,” Charlie Sibbich, a senior software engineer at the company, wrote in a March 27 Slack message, about a month after the breach was discovered.
In a Slack message on March 8, Palaniappan asks his developers, “How many instances do we have that are open?”
Neither Sibbich nor Palaniappan returned requests for comment.
Nas announced his investment in Earnin in June, months after the breach.
He did not return a request for comment.
Credit: Source link
The post Silicon Valley tech company says it was target of cyber breach appeared first on Fox USA Live.
from WordPress https://ift.tt/2YV1bDb
Comments
Post a Comment
Thank