PayPal has agreed to pay a $2 million civil fine due to cybersecurity lapses leading to the exposure of customers' Social Security numbers in late 2022, reported the New York state's Department of Financial Services on Thursday.
According to Adrienne Harris, New York's financial services superintendent, their investigation revealed that PayPal neglected to employ qualified staff to oversee key cybersecurity functions and lacked adequate training to handle cybersecurity risks. This resulted in customer data, including names, dates of birth, and Social Security numbers, being vulnerable to cybercriminals for approximately seven weeks.
In a statement, PayPal stated, Protecting consumers' personal information and maintaining a secure platform is a top priority for us and we take our regulatory responsibilities seriously, noting that they cooperated with the investigation.
The issue was identified after a security analyst at PayPal came across an online message on December 6, 2022, mentioning PP EXPLOIT TO GET SSN. Subsequently, PayPal's cybersecurity team noticed a surge in attempts to access the online platform, leading to the discovery that cybercriminals were utilizing credential stuffing to access federal tax forms of thousands of customers.
Following changes in data flows to expand form availability, customer data was compromised. Harris criticized PayPal for not mandating multifactor authentication or using controls like CAPTCHA to prevent unauthorized entry.
The financial penalty was imposed for breaching the cybersecurity regulation of the financial services department, implemented in 2017. As a response, PayPal has now enforced multifactor authentication for all U.S. customer accounts, initiated forced password resets for affected accounts, and integrated CAPTCHA, as per the consent order.