PayPal penalized by New York for cybersecurity failures
PayPal has been fined $2 million by New York State’s Department of Financial Services for cybersecurity failures that exposed customers’ Social Security numbers in late 2022.
Adrienne Harris, New York’s financial services superintendent, revealed that a probe uncovered lapses in PayPal’s cybersecurity management.
The digital payment company failed to employ qualified cybersecurity staff or provide adequate training, leaving customers’ names, dates of birth, and Social Security numbers accessible to cybercriminals for approximately seven weeks.
PayPal discovered the breach on December 6, 2022, when a security analyst noticed an online message referencing “PP EXPLOIT TO GET SSN.” The following day, its cybersecurity team detected a spike in unauthorized access attempts, with cybercriminals using “credential stuffing” to access federal tax forms of tens of thousands of users.
The data exposure occurred after PayPal altered existing data flows to expand accessibility to certain forms for its customers. Regulators criticized the company for not mandating multifactor authentication or employing sufficient access controls like CAPTCHA to prevent unauthorized breaches.
The fine stems from a violation of the state’s cybersecurity regulations, established in 2017. While PayPal cooperated during the investigation, it has since implemented stronger security measures, including CAPTCHA, to safeguard customer data.
PayPal did not immediately respond to requests for comment regarding the penalty.
