New York Fines PayPal for Cybersecurity Lapses – One America News Network
By Jonathan Stempel
January 23, 2025 – 8:31 AM PST
Advertisement

NEW YORK (Reuters) – PayPal (PYPL.O) has agreed to pay a civil penalty of $2 million due to cybersecurity breaches that led to the exposure of customers’ Social Security numbers in late 2022, as announced by New York state’s Department of Financial Services on Thursday.
Adrienne Harris, the superintendent of financial services for New York, indicated that an investigation by her department revealed that PayPal did not employ qualified personnel for critical cybersecurity roles or provide sufficient training to mitigate cybersecurity risks.
This oversight allowed cybercriminals to access the names, birth dates, and Social Security numbers of customers from the San Jose, California-based digital payments giant for approximately seven weeks, she noted.
PayPal collaborated with the investigation. The company stated, “Safeguarding our consumers’ personal information and ensuring a secure platform is our highest priority, and we take our regulatory obligations very seriously.”
In a consent order, it was noted that PayPal identified the issue after a security analyst, on December 6, 2022, came across a message online stating “PP EXPLOIT TO GET SSN.”
The following day, PayPal’s cybersecurity team noticed an increase in attempts to access its online platform and discovered that cybercriminals were leveraging “credential stuffing” techniques to view federal tax forms belonging to tens of thousands of customers.
Data exposure occurred when PayPal modified existing data processes in order to make the tax forms available to more users.
Harris criticized PayPal for not enforcing multifactor authentication and other security measures such as CAPTCHA to inhibit unauthorized access.
The fine arises from violations of the financial services department’s cybersecurity regulation, established in 2017.
Currently, PayPal mandates multifactor authentication for all U.S. customer accounts, initiated password resets for impacted accounts, and has implemented CAPTCHA, according to the consent order.
Reporting by Jonathan Stempel in New York; Editing by Hugh Lawson and Bill Berkrot
Advertisements below