- PayPal has been fined $2 million for cybersecurity failures
- New York State Department of Financial Services fine follows a 2022 data breach
- DFS says PayPal failed to properly train workers on security practices
Regulators in New York have issued a $2 million fine to financial service giant PayPal over cybersecurity failures which exposed personally identifiable information (PII) of tens of thousands of customers.
The breach, which occurred in December of 2022, compromised the social security numbers, email addresses, and names of users.
The fine, given by the New York State Department of Financial Services (DFS), follows an investigation into shortcomings in cybersecurity practices in the run up to the breach. The DFS determined that PayPal failed to use ‘qualified personnel’ to manage key cybersecurity functions, and didn’t provide adequate training to address risks in cybersecurity.
Failure to follow procedure
The investigation found these failures enabled the 2022 breach, in which hackers used a technique called ‘credential stuffing’ – where attackers ‘stuff’ login pages with numerous credentials taken from elsewhere until one eventually works.
The customer data was exposed after PayPal made changes to data flows in order to make IRS Form 1099-ks available to more customers. When doing this, the teams implementing the changes weren’t properly trained in PayPal’s systems and application development processes.
Because of this, DFS determined that employees ‘failed to follow proper procedures’ as the changes were made, allowing cybercriminals to exploit exposed credentials to access the forms, which then compromised sensitive customer data.
“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” said Superintendent Adrienne A.Harris in a statement.
“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”
Aside from the immediate danger of account access, exposed personal information puts customers at risk of identity theft, so check out our recommendations for best identity theft protection if you think you might be exposed.