"PayPal Slapped with $2 Million Fine for Massive Cybersecurity Failure – Are Your Personal Details Safe?"

In late 2022, PayPal experienced a significant data breach resulting from cybersecurity deficiencies, leading to the exposure of sensitive customer information, including Social Security numbers. The breach was attributed to inadequate staffing and training in key cybersecurity roles, which left customer data vulnerable to cybercriminals for approximately seven weeks. The incident was identified after PayPal's cybersecurity team noticed a surge in unauthorized access attempts and discovered that attackers were employing "credential stuffing" techniques to access federal tax forms. At the time, PayPal did not mandate multifactor authentication (MFA) or implement controls like CAPTCHA to secure accounts. In response to these failures, the New York State Department of Financial Services imposed a $2 million fine on PayPal for violating the state's cybersecurity regulations. Following the breach, PayPal has taken corrective measures, including implementing MFA on all U.S. accounts, enforcing password resets, and adding CAPTCHA to enhance security.

Reuters

Sources

1. PayPal fined by New York for cybersecurity failures

The New York State Department of Financial Services fined PayPal $2 million for cybersecurity failures that led to the exposure of customers' Social Security numbers in late 2022. The investigation revealed that PayPal lacked qualified staff to manage key cybersecurity functions and failed to provide adequate training to address cybersecurity risks. This negligence allowed cybercriminals to access sensitive customer data for about seven weeks. PayPal has since implemented multifactor authentication on all U.S. customer accounts, forced password resets on affected accounts, and added CAPTCHA to enhance security.

Reuters

2. PayPal to pay $2 million settlement over 2022 data breach

New York State announced a $2 million settlement with PayPal over charges that it failed to comply with the state's cybersecurity regulations, leading to a 2022 data breach. Threat actors exploited security gaps in PayPal's systems to conduct credential stuffing attacks, gaining access to sensitive customer information. The breach exposed data such as full names, dates of birth, postal addresses, Social Security numbers, and individual tax identification numbers. Following the incident, PayPal took remediation steps, including masking sensitive data on IRS forms, implementing CAPTCHA and rate limiting, and making multifactor authentication mandatory for all U.S. customer accounts.

BleepingComputer

3. PayPal Hit With $2 Million Fine For Cybersecurity Failures

The New York State Department of Financial Services imposed a $2 million fine on PayPal for violations of its cybersecurity regulations. The penalty stems from failures in PayPal’s cybersecurity practices that led to a data breach in December 2022, exposing sensitive customer information, including Social Security numbers, names, and dates of birth. The breach occurred after PayPal implemented changes to its data flows to make IRS Form 1099-Ks accessible to a broader customer base, but the teams responsible for the rollout were not adequately trained, leading to vulnerabilities. Hackers exploited these vulnerabilities through credential stuffing attacks. Following the breach, PayPal took immediate action to mitigate the damage, including implementing CAPTCHA and rate-limiting controls, masking exposed customer data, resetting passwords for affected accounts, making multifactor authentication mandatory for all U.S.-based accounts, and enhancing employee training on secure application development.

Cyber Security News