BOSTON – A California company that processes payments for rental and vacation properties will pay $155,000 to resolve allegations that it violated consumer protection and data security laws by exposing the personal information of 6,800 Massachusetts residents online, Attorney General Maura Healey announced today.
In the assurance of discontinuance, filed in Suffolk Superior Court, Yapstone Holdings Inc. has also agreed to comply with state laws and implement policies to improve the security of its systems and protect sensitive consumer data online.
“This company broke the law by failing to take immediate action when consumers’ personal information was at risk,” said AG Healey. “Through our settlement, Yapstone will pay a penalty and take significant steps to safeguard the personal information of customers.”
The AG’s Office began its investigation after Yapstone notified the office of the incident in 2015. The investigation revealed that in July 2014, while modifying Yapstone’s website, the company’s engineers accidentally removed password protections from public-facing websites used to sign users up for Yapstone’s service. These websites stored consumers’ personal information, such as bank account and social security numbers, addresses, and driver’s license numbers. The mistake rendered the webpages publicly viewable to anyone on the internet for more than a year. The investigation found that Yapstone employees appeared to have been aware of the vulnerability in August 2014 but neglected to fix it until August 2015, when another employee discovered it.
The settlement requires Yapstone to maintain a chief information security officer, train employees on data security, and assess and update information security policies relating to changes to its systems and to external vulnerabilities.
The AG’s Office enforces the Massachusetts Data Security Regulations, which require businesses and organizations to develop, implement, and maintain a written information security program and protect the personal information of Massachusetts consumers.
If you believe that you have been the victim of a data breach, you will need to take additional steps to protect your credit and your personal information. For additional information, consumers may contact the Attorney General’s consumer hotline at (617) 727-8400. Guidance for businesses on data breaches can be found here.
This matter was handled by Assistant Attorneys General Jared Rinehimer and Michael Lecaroz and Director of Data Privacy and Security Sara Cable, all of the AG’s Consumer Protection Division.