PayPal Fined $2 Million Over 2022 Breach of Customer Accounts

The New York State Department of Financial Services (DFS) has instructed PayPal to pay $2 million to settle charges related to cybersecurity issues that caused a data breach in 2022.

The breach resulted in the exposure of sensitive customer information, including some individuals’ Social Security numbers and comes as part of ongoing efforts to hold companies accountable for protecting user data and addressing security lapses.

According to New York DFS which also noted PayPal’s lack of multi-factor authentication mandates during the time of the breach it did not properly adopt and maintain access control, customer data, and identity management policies.

“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” said Adrienne Harris, superintendent of DFS.

“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.” Harris said.

For about seven weeks, sensitive customer data, including names, birthdates, and Social Security numbers, was left exposed to cybercriminals due to a security lapse at PayPal, a digital payments company based in San Jose, California.

The breach was uncovered after a security analyst came across an online message on December 6, 2022, reading “PP EXPLOIT TO GET SSN.”

The following day, PayPal’s cybersecurity team noticed a significant increase in unauthorized attempts to access its platform. They determined that cybercriminals were using “credential stuffing” attacks to access federal tax forms for tens of thousands of customers.

The data became exposed when PayPal made changes to its data flow processes to provide easier access to the forms for more customers.

The New York State Department of Financial Services (DFS) criticized PayPal for failing to implement adequate security measures, such as multifactor authentication or CAPTCHA, to prevent unauthorized access.

“Protecting consumers’ personal information and maintaining a secure platform is a top priority for us, and we take our regulatory responsibilities seriously,” the company said in a statement.

In response to the breach, PayPal is now requiring multifactor authentication, forcing password resets on affected accounts, and adding CAPTCHA for enhanced security. The fine was for violating the DFS’s 2017 cybersecurity regulation.