PayPal has agreed to pay a $2 million fine to New York’s Department of Financial Services (DFS) following a cybersecurity failure that exposed sensitive customer information, including Social Security numbers, names, and dates of birth, in late 2022.

Customer Data Left Vulnerable

The breach occurred due to PayPal’s lack of qualified cybersecurity staff and insufficient risk management protocols, which allowed cybercriminals to exploit vulnerabilities for seven weeks. The issue was discovered on December 6, 2022, when a PayPal security analyst spotted an online post titled “PP EXPLOIT TO GET SSN.” The following day, unauthorized access attempts surged. Hackers used “credential stuffing” to access federal tax forms for tens of thousands of users, exploiting weaknesses in system changes meant to expand access to those forms.

Regulatory Failures and Security Enhancements

DFS Superintendent Adrienne Harris criticized PayPal for neglecting basic cybersecurity measures, such as multifactor authentication (MFA) and CAPTCHA, which could have prevented the unauthorized access. These lapses violated New York’s 2017 cybersecurity regulations aimed at protecting financial data.

In response, PayPal has since implemented key security measures, including mandatory MFA for all U.S. accounts, enforced password resets for affected users, and CAPTCHA to prevent unauthorized access attempts.

PayPal’s Response and Industry Implications

PayPal has cooperated with the DFS investigation and assured the public that consumer safety is its priority. The company stated, “Protecting consumers’ personal information and maintaining a secure platform is a top priority for us.”

This fine underscores the critical importance of strict cybersecurity compliance in the financial sector. Regulatory bodies like DFS are holding companies accountable for lapses that jeopardize sensitive consumer data.