PayPal has agreed to pay a $2m settlement to New York State following a data breach in late 2022 that exposed sensitive customer information. The settlement comes after an investigation by the New York Department of Financial Services (DFS) determined that the company violated the state’s cybersecurity regulations.
The breach occurred between 6 and 8 December 2022, during which cybercriminals exploited security vulnerabilities in PayPal’s systems through credential-stuffing attacks. These attacks, which rely on automated attempts to access accounts using stolen or reused login credentials, compromised approximately 35,000 customer accounts. The exposed data included names, dates of birth, postal addresses, Social Security numbers, and tax identification numbers.
The DFS investigation revealed significant shortcomings in PayPal’s cybersecurity practices. One issue identified was an error in the distribution process for IRS Form 1099-K tax forms. The changes made to facilitate broader access to these forms were implemented without following proper procedures, leaving critical customer data exposed. Threat actors with valid login credentials were able to access customer accounts and retrieve sensitive information from these tax forms.
At the time of the breach, PayPal lacked key security features, including mandatory multi-factor authentication (MFA). The company also failed to implement controls such as CAPTCHA and rate limiting to prevent automated login attempts. These gaps violated multiple sections of New York’s Cybersecurity Regulation, including requirements for written cybersecurity policies, personnel training, and access controls.
New York State DFS Superintendent Adrienne Harris stated that PayPal did not use qualified personnel to oversee critical cybersecurity functions or provide adequate training to address evolving risks. These failures contributed to the unauthorised access and exposure of sensitive customer information.
“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” said Superintendent Harris. “Qualified cybersecurity personnel are the first line of defence against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”
PayPal’s response to the breach
In response to the breach, PayPal has taken steps to address the identified vulnerabilities. The company has implemented measures such as masking sensitive data on IRS forms, introducing CAPTCHA and rate limiting, and making MFA mandatory for all US customers. However, the DFS noted that these actions were implemented after the breach occurred.
Under the settlement terms, PayPal must pay the fine within 10 days. The DFS confirmed no further action will be taken unless additional violations are uncovered.
“The NY DFS Cybersecurity Regulation (23 NYCRR Part 500) is probably one of the most detailed US state-level regulations related to cybersecurity and data protection, resembling to EU DORA by its comprehensive nature,” said Dr Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS). “This penalty is a clear reminder that cybersecurity is insufficient even if you implement all technical controls by implementing pricey solutions from the leading vendors, but fail to properly organize an ongoing and organization-wide training.”
Read more: Otelier data breach exposes sensitive hotel guest information across major brands
