PayPal Fined $2M Over Cybersecurity Breach Exposing Customer Data

PayPal has been fined $2 million by New York’s Department of Financial Services (DFS) for cybersecurity lapses that resulted in the exposure of customers’ Social Security numbers in late 2022, as first reported by Reuters.

The breach, which lasted approximately seven weeks, left sensitive data including names, birth dates, and Social Security numbers vulnerable to cybercriminals, DFS announced Thursday.

Adrienne Harris, New York’s financial services superintendent, revealed that PayPal lacked qualified personnel to oversee critical cybersecurity operations and failed to provide adequate training to mitigate risks. These shortcomings made it easier for attackers to exploit the system, noted Reuters.

The issue came to light on December 6, 2022, when a security analyst discovered an online message referencing a vulnerability, labeled “PP EXPLOIT TO GET SSN.” The following day, PayPal’s cybersecurity team detected a surge in unauthorized access attempts on its platform, said Reuters.

Investigations revealed that attackers were employing “credential stuffing” techniques to view federal tax forms belonging to tens of thousands of customers, said Reuters.

The breach occurred after PayPal altered data flow configurations to expand access to these forms, inadvertently exposing sensitive information. Harris also criticized PayPal for failing to implement basic security measures such as multifactor authentication and CAPTCHA to deter unauthorized access, as reported by Reuters.

In a statement, Reuters reports that PayPal acknowledged the investigation and reaffirmed its commitment to safeguarding user information. “Protecting consumers’ personal information and maintaining a secure platform is a top priority,” the company said.

Since the breach, PayPal has implemented multifactor authentication for all U.S. customer accounts, mandated password resets for affected users, and added CAPTCHA to enhance security, noted Reuters.

The $2 million fine is tied to violations of New York’s cybersecurity regulation, which was established in 2017 to enhance protections for financial services, reports Reuters.