PayPal Fined $2M for Cybersecurity Failures That Exposed Customer Data
PayPal was fined $2 million for cybersecurity failures that exposed customer Social Security numbers in late 2022. The New York State Department of Financial Services (NYDFS) found that weak security measures left sensitive data vulnerable for seven weeks. The breach was discovered after a credential-stuffing attack targeted users’ federal tax forms. PayPal has since implemented stricter security, including multifactor authentication and CAPTCHA.
PayPal (PYPL.O) has agreed to pay a $2 million fine after a cybersecurity lapse in late 2022 exposed sensitive customer information, including Social Security numbers, according to the New York State Department of Financial Services (NYDFS).
Regulatory Probe Uncovers Security Failures
New York’s financial services superintendent, Adrienne Harris, revealed that an investigation found PayPal failed to employ qualified cybersecurity personnel or provide adequate training to prevent security breaches. This oversight left customers’ names, birthdates, and Social Security numbers vulnerable for about seven weeks, making them easily accessible to cybercriminals.
In response, PayPal cooperated with regulators, stating, “Protecting consumers’ personal information and maintaining a secure platform is a top priority for us, and we take our regulatory responsibilities seriously.”
How the Breach Unfolded
The security lapse was discovered on December 6, 2022, when a PayPal security analyst came across an alarming online message stating:
“PP EXPLOIT TO GET SSN.”
The following day, PayPal’s cybersecurity team noticed a surge in login attempts, uncovering that cybercriminals were using a “credential stuffing” attack to access customer tax forms. This form of attack involves hackers using previously leaked credentials from other breaches to break into PayPal accounts.
The breach was traced to changes made by PayPal in its data flow processes, which were intended to expand tax document accessibility for users but inadvertently exposed sensitive data.
Weak Security Measures Led to the Incident
Harris criticized PayPal for failing to implement basic security measures, including:
Multifactor authentication (MFA) for account access.
CAPTCHA verification to prevent automated hacking attempts.
The company’s failure to comply with New York’s 2017 cybersecurity regulations ultimately resulted in the $2 million penalty.
PayPal Tightens Security Following Breach
In response to the breach and regulatory scrutiny, PayPal has now enforced stricter security measures, including:
Mandatory multifactor authentication for all U.S. accounts.
Forced password resets for affected users.
Implementation of CAPTCHA to block automated hacking attempts.
While the fine highlights regulatory efforts to hold companies accountable for data security lapses, it also serves as a warning for financial institutions to prioritize cybersecurity in an era of escalating digital threats.
Source: (Reuters)
(Disclaimer: This article is based on publicly available information and reports from Reuters. The details provided aim to inform readers about cybersecurity incidents and financial regulations.)
Also Read: Comcast Unveils Sports & News TV Package to Stay Competitive in Streaming Era