New York financial regulator fines PayPal $2 million over data security failings

American multinational financial technology giant PayPal has been issued a fine of $2 million for failing to protect customer data in a 2022 data security incident.

 

Recently, the New York state’s Department of Financial Services (DFS) said that PayPal failed to protect customers’ Social Security numbers in a data security incident in 2022 that affected thousands of customers.

 

In a data breach notification sent to customers in January 2023, PayPal said it identified unauthorised access to its customer accounts and immediately launched an investigation to understand the scope of the incident

The investigation revealed that threat actors gained access to PayPal’s customer accounts using a credential-stuffing attack that involves threat actors trying varied combinations of usernames and passwords obtained from previous data leaks to hack into online accounts.

 

The investigation revealed that threat actors gained access to the internal systems of PayPal on December 6, 2022. While the access was terminated on December 8, 2022, the threat actors already accessed and potentially acquired the sensitive personal information of 34,942 users.

 

The compromised personal information included customers’ names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth.

 

Adrienne Harris, New York’s financial services superintendent, said that an investigation led by her office found that PayPal failed to use “qualified personnel” to manage key cyber security functions. Also, the company failed to provide adequate training to address cybersecurity risks.

 

The department’s investigation also revealed that “PayPal failed to implement and maintain written policies that address access controls, identity management, and customer data, and failed to use effective controls to protect against unauthorised access to Nonpublic Information or Information Systems.”

 

In fact, the company did not require customers to use multifactor authentication or use controls such as CAPTCHA or rate limiting to help prevent unauthorised login attempts.

 

“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions.

 

“Qualified cyber security personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cyber security policies and procedures are vital steps to protecting sensitive data and mitigating risks,” said Superintendent Harris.

 

Commenting on the decision, a PayPal spokesperson said that the company co-operated with DFS as and when needed. “Protecting consumers’ personal information and maintaining a secure platform is a top priority for us and we take our regulatory responsibilities seriously,” the spokesperson added.