New York’s Department of Financial Services fined PayPal $2 million for cybersecurity failures in late 2022.
Key Failures Exposed by Investigation
Financial Services Superintendent Adrienne Harris stated that PayPal lacked qualified cybersecurity staff and sufficient training for employees.
This negligence left sensitive customer data, including Social Security numbers and birth dates, vulnerable for seven weeks.
Discovery of the Breach
A security analyst discovered the breach via an online message on December 6, 2022, referencing “PP EXPLOIT TO GET SSN.”
The next day, PayPal’s cybersecurity team detected unusual activity, revealing credential stuffing attacks on its platform.
Data Exposed Through Platform Changes
PayPal had modified data flows to make federal tax forms more accessible, inadvertently exposing sensitive customer data.
Vulnerabilities in Security Measures
Harris criticized PayPal for not requiring multifactor authentication or controls like CAPTCHA to prevent unauthorized access.
Regulatory Violations and Fine
The company violated New York’s cybersecurity regulation, adopted in 2017, which led to the $2 million penalty.
Cooperation and Upgrades
PayPal cooperated with investigators and has since upgraded its security, including the implementation of CAPTCHA.
The San Jose-based company has not commented on the fine.
Addressing Credential Stuffing Attacks
Cybercriminals exploited credential stuffing to access customer tax forms, highlighting weaknesses in PayPal’s security infrastructure.
Seven Weeks of Vulnerability
The exposed data included names, birth dates, and Social Security numbers, accessible to cybercriminals for nearly two months.
New York Takes Cybersecurity Seriously
Harris emphasized that financial companies must ensure strong cybersecurity to protect customers’ sensitive data.
PayPal’s Response and Future Measures
PayPal has taken steps to enhance security and prevent similar breaches, but the incident raises concerns about digital payment safety.
Industry-Wide Implications
This case underscores the need for robust cybersecurity measures and accountability across the financial technology sector.
Summary
PayPal’s $2 million fine serves as a warning to companies about the importance of protecting customer data.
New York’s regulations aim to hold firms accountable for cybersecurity failures, ensuring customer information remains secure.
