PayPal has been fined $2 million by New York State’s Department of Financial Services (NYDFS) for exposing customers’ personal information, including Social Security numbers, due to inadequate cybersecurity controls.
The fine, announced on Thursday, comes after an investigation by the NYDFS revealed significant lapses in PayPal’s cybersecurity practices. These failures left sensitive information, such as names, dates of birth, and Social Security numbers, vulnerable to cybercriminals for approximately seven weeks.
Adrienne Harris, the state’s financial services superintendent, criticized PayPal for not employing qualified personnel to manage critical cybersecurity functions and for failing to train its staff on addressing cybersecurity risks effectively. Moreover, she noted that these oversights directly contributed to the exposure of sensitive customer data. As a result, the breach could have been prevented with proper training and staffing in place.
PayPal cooperated with the investigation and issued a statement emphasizing its commitment to protecting customer information and complying with regulatory standards. Furthermore, the company stated, “Maintaining a secure platform and safeguarding our customers’ personal information is a top priority for us.” Additionally, PayPal highlighted its efforts to strengthen security measures moving forward.
How the Data Leak Unfolded
The issue came to light on December 6, 2022, when a security analyst discovered an online message referencing a vulnerability: “PP EXPLOIT TO GET SSN.” The following day, PayPal’s cybersecurity team detected a surge in unauthorized access attempts on its platform. The team found that cybercriminals were using a tactic known as “credential stuffing” to exploit the vulnerability and access federal tax forms containing sensitive data for tens of thousands of users.
This breach occurred after PayPal adjusted its internal data flows to make tax forms more accessible to customers, inadvertently exposing sensitive information in the process.
Weak Cybersecurity Measures Criticized
The NYDFS faulted PayPal for failing to implement basic security measures such as multifactor authentication (MFA) or CAPTCHA, which could have significantly reduced the likelihood of unauthorized access. These deficiencies violated New York’s stringent cybersecurity regulations, introduced in 2017.
PayPal’s Response and Corrective Actions
In the wake of the breach, PayPal has implemented several measures to bolster its security infrastructure. These include:
- Enforcing mandatory multifactor authentication for all U.S. customer accounts.
- Forcing password resets for affected accounts.
- Introducing CAPTCHA to prevent automated unauthorized access attempts.
The company’s $2 million penalty reflects its failure to meet the required standards for protecting sensitive customer data.
Superintendent Harris underscored the importance of robust cybersecurity protocols in today’s digital landscape. “This case highlights the critical need for companies to remain vigilant and proactive in safeguarding sensitive consumer information,” she said.
