Customer Data Exposed Due to Security Failures
PayPal has been ordered to pay a $2 million fine by New York’s Department of Financial Services (DFS). This penalty follows a cybersecurity failure that left sensitive customer information, including Social Security numbers, vulnerable to cybercriminals in late 2022.
Adrienne Harris, New York’s financial services superintendent, revealed that PayPal did not employ qualified cybersecurity staff. Additionally, the company failed to provide sufficient training to address growing cybersecurity risks. These issues left customer data, such as names, dates of birth, and Social Security numbers, accessible to hackers for approximately seven weeks.
The problem came to light on December 6, 2022, when a PayPal security analyst discovered an online message titled “PP EXPLOIT TO GET SSN.” The next day, the cybersecurity team observed a sharp increase in unauthorized access attempts. Hackers used a technique called “credential stuffing” to exploit PayPal’s platform and access federal tax forms belonging to tens of thousands of customers.
The breach was linked to changes PayPal made in its data processes to make tax forms available to more users. These changes inadvertently created vulnerabilities that hackers exploited.
PayPal Criticized for Lack of Basic Security Measures
Harris faulted PayPal for not requiring essential protections such as multifactor authentication (MFA) or CAPTCHA to prevent unauthorized access. These basic tools could have significantly reduced the risk of a breach. Failing to implement these measures violated New York’s cybersecurity regulations, adopted in 2017 to safeguard sensitive financial information.
In response to the breach, PayPal has introduced stricter security protocols. The company now requires multifactor authentication for all U.S. customer accounts. It also forced password resets for affected accounts and implemented CAPTCHA to block unauthorized access attempts.
PayPal Takes Steps to Strengthen Security
PayPal cooperated with the investigation and acknowledged the importance of improving its cybersecurity practices. In a statement, the company emphasized its commitment to protecting customer data. “Maintaining a secure platform and safeguarding personal information are top priorities for us,” the company said. “We take our regulatory responsibilities very seriously.”
This case underscores the importance of adhering to strong cybersecurity standards. New York’s DFS continues to enforce stringent regulations to ensure companies prioritize protecting sensitive consumer information in an era of rising cyber threats.