Tech News

New York Fines PayPal for Cybersecurity Lapses – One America News Network


By Jonathan Stempel

January 23, 2025 – 8:31 AM PST

Advertisement

FILE PHOTO: Illustration photo of the PayPal app logo on a mobile device taken on October 16, 2017. REUTERS/Thomas White/File Photo
FILE PHOTO: Illustration of the PayPal app on a mobile device

NEW YORK (Reuters) – PayPal (PYPL.O) has agreed to pay a civil penalty of $2 million due to cybersecurity breaches that led to the exposure of customers’ Social Security numbers in late 2022, as announced by New York state’s Department of Financial Services on Thursday.

Adrienne Harris, the superintendent of financial services for New York, indicated that an investigation by her department revealed that PayPal did not employ qualified personnel for critical cybersecurity roles or provide sufficient training to mitigate cybersecurity risks.

This oversight allowed cybercriminals to access the names, birth dates, and Social Security numbers of customers from the San Jose, California-based digital payments giant for approximately seven weeks, she noted.

PayPal collaborated with the investigation. The company stated, “Safeguarding our consumers’ personal information and ensuring a secure platform is our highest priority, and we take our regulatory obligations very seriously.”

In a consent order, it was noted that PayPal identified the issue after a security analyst, on December 6, 2022, came across a message online stating “PP EXPLOIT TO GET SSN.”

The following day, PayPal’s cybersecurity team noticed an increase in attempts to access its online platform and discovered that cybercriminals were leveraging “credential stuffing” techniques to view federal tax forms belonging to tens of thousands of customers.

Data exposure occurred when PayPal modified existing data processes in order to make the tax forms available to more users.

Harris criticized PayPal for not enforcing multifactor authentication and other security measures such as CAPTCHA to inhibit unauthorized access.

The fine arises from violations of the financial services department’s cybersecurity regulation, established in 2017.

Currently, PayPal mandates multifactor authentication for all U.S. customer accounts, initiated password resets for impacted accounts, and has implemented CAPTCHA, according to the consent order.

Reporting by Jonathan Stempel in New York; Editing by Hugh Lawson and Bill Berkrot

Advertisements below

Share this post!





Source link

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.