PayPal Fined $2 Million for Cybersecurity Failures Exposing Customer Social Security Numbers
In a recent settlement with the New York State Department of Financial Services (NYDFS), PayPal has agreed to pay a $2 million fine due to cybersecurity deficiencies that led to the exposure of customers' personal information, including Social Security numbers, in late 2022.
The NYDFS investigation revealed that PayPal failed to employ qualified personnel to manage key cybersecurity functions and did not provide adequate training to address cybersecurity risks. These shortcomings allowed cybercriminals to access sensitive customer data for approximately seven weeks.
The breach was discovered after a PayPal security analyst noticed an online message indicating a method to exploit the platform to obtain Social Security numbers. Subsequent investigations revealed that attackers were using "credential stuffing" techniques to access federal tax forms containing personal information. At the time of the breach, PayPal did not require multifactor authentication (MFA) or implement controls such as CAPTCHA to prevent unauthorized access.
In response to the incident, PayPal has taken several corrective measures, including implementing MFA for all U.S. customer accounts, enforcing password resets for affected users, and adding CAPTCHA to enhance security. The company stated that protecting consumers' personal information and maintaining a secure platform is a top priority and that they take their regulatory responsibilities seriously.