THE YES (acquired by Pinterest) risk score

Section 1: Company Overview
The Yes is a financial-services organization operating in the digital banking/fintech space. It offers consumer and commercial financial products—accounts, payments, lending and wealth tools—through predominantly online channels. As a firm operating at scale and handling sensitive financial data, The Yes is subject to rigorous regulatory oversight and is expected to maintain enterprise-grade information security. Its digital-first model increases reliance on web and API security, identity controls, and employee governance.

Section 2: Historical Data Breaches
The Yes’s publicly documented security history includes multiple incidents that expose recurring control gaps. An early third‑party access misuse incident resulted in several thousand customers’ records being retrieved under an improperly used access token. In a separate episode tied to litigation disclosure, a large volume of confidential client files—containing personally identifiable information and portfolio details—was provided without sufficient protections, amplifying privacy risk. More recently, The Yes suffered an internal‑handling failure when an employee forwarded customer data to a personal account; that event affected roughly ten thousand customer profiles. Collectively, these events demonstrate threats originating from third‑party integrations, process failures during legal discovery, and insider errors.

Section 3: Recent Security Breach
In June 2023 The Yes experienced an internal control breach in which employee noncompliance led to exposure of approximately 10,000 customer records. The compromised dataset included sensitive customer information. The company terminated the employee, alerted affected customers, and expanded account monitoring. While there was no indication of an external cyberattack, the incident underscores insufficient enforcement of data handling policies and weaknesses in preventative technical controls (e.g., data loss prevention and outbound filtering).

Section 4: Evaluation of Digital Security
Independent evaluation metrics reveal the company’s security posture sits below recommended benchmarks, with several high‑priority gaps:

- Credential hygiene and identity: A notable proportion of staff reused credentials linked to prior breaches, and tens of thousands of corporate credentials were flagged as compromised. This materially raises the risk of account takeover and lateral movement.
- Phishing and endpoint risk: Over a thousand shortcomings were identified in phishing and malware defenses, suggesting anti‑phishing controls, endpoint detection, and user awareness need strengthening.
- Website and transport security: Web infrastructure showed substantial SSL/TLS misconfigurations—an aggregated count in the low thousands in one assessment—which weakens encrypted channels and can enable interception or downgrade attacks.
- Network and email posture: Network configuration showed at least one area requiring remediation; email security controls were generally better in some evaluations but remain an important area for continuous validation.

The Yes’s composite security score from the most recent assessment registered in the low 70s out of 100—adequate in some domains but reflecting sizable remediation debt. By contrast, peer evaluations for smaller fintech providers show higher overall scores despite discrete critical findings (notably SSL issues), indicating that The Yes’s scale exacerbates the impact of unresolved weaknesses.

Audit and expert opinions emphasize systemic causes: inconsistent application of technical controls, gaps in secure development and deployment practices, insufficient segmentation and monitoring, and process weaknesses around legal and HR workflows that permit accidental disclosures. Remediation priorities should be driven by risk to customer PII, regulatory exposure, and potential operational impact.

Conclusion: Is The Yes Safe?
The Yes is not currently at an acceptable security posture. Past accidental disclosures, an internal‑caused 2023 exposure, and assessment results (weak SSL/TLS posture, extensive phishing/malware gaps, and widespread credential compromise) indicate elevated risk to customers and regulatory exposure. Immediate priorities: enforce multifactor authentication and password hygiene, revoke and rotate compromised credentials, deploy enterprise DLP and outbound filtering, remediate TLS configuration across web assets, and conduct targeted staff training and legal‑process hardening. Longer term, implement continuous vulnerability management, stronger segmentation, and independent security audits to reduce financial, reputational, and privacy consequences.