PayPal has been fined $2 million by New York’s Department of Financial Services (NYDFS) for cybersecurity lapses that exposed customers’ Social Security numbers in late 2022.
Adrienne Harris, the state’s financial services superintendent, stated that an investigation revealed PayPal’s failure to employ qualified personnel to oversee critical cybersecurity functions or provide sufficient training to manage cybersecurity threats.
This oversight resulted in customers’ names, dates of birth, and Social Security numbers being vulnerable to cybercriminals for approximately seven weeks.
PayPal cooperated with the investigation and said in a statement, “Protecting consumers’ personal information and maintaining a secure platform is a top priority for us, and we take our regulatory responsibilities seriously.”
According to the consent order, the issue came to light on December 6, 2022, when a PayPal security analyst discovered an online message that read, “PP EXPLOIT TO GET SSN.”
The following day, PayPal’s cybersecurity team identified a surge in attempts to breach its platform.
They determined that cybercriminals were using a method called “credential stuffing” to access federal tax forms for tens of thousands of customers.
The data exposure occurred after PayPal made adjustments to data flows to increase the availability of these forms to more users.
Harris criticized PayPal for failing to require multifactor authentication (MFA) or other preventative measures, such as CAPTCHA, to block unauthorized access.
The $2 million penalty was imposed for violating NYDFS’s cybersecurity regulations, implemented in 2017.
Since the incident, PayPal has enhanced its security measures.
The company now mandates MFA for all U.S. customer accounts, has reset passwords on affected accounts, and has introduced CAPTCHA to strengthen protections, according to the consent order.