Cyber Blog

Digital payments leader PayPal has agreed to pay a $2 million fine following a cybersecurity incident in December 2022 that exposed thousands of Social Security numbers, according to New York state regulators.

The penalty resolves violations of New York’s financial cybersecurity regulations, which require companies like PayPal to employ qualified personnel to manage critical cybersecurity functions and to provide adequate training to mitigate cyber risks. Adrienne Harris, Superintendent of the New York State Department of Financial Services (DFS), emphasized the importance of skilled personnel and robust training in safeguarding sensitive data. “Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks,” she said.

In January 2023, PayPal notified nearly 35,000 customers about the breach, which occurred on December 6, 2022. The incident involved a credential stuffing attack, allowing hackers to access sensitive information such as names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth.

According to a consent order released by DFS, a PayPal security analyst discovered an online message that read, “PP EXPLOIT TO GET SSN,” which included instructions to view Social Security numbers on PayPal’s website. Investigations revealed that tax documents on PayPal’s platform contained unmasked consumer information due to a vulnerability introduced during platform changes necessitated by the American Rescue Plan Act in 2022.

On December 7, 2022, the day after the security analyst spotted the message, PayPal’s cybersecurity team detected a surge in access attempts to its platform. It concluded that credential stuffing was being used to compromise customer data. The team promptly implemented updates to address the issue. However, further investigation revealed that the initial platform changes had bypassed PayPal’s “Risk and Control Identification Process” because of a clerical error.

As part of the settlement, PayPal agreed to pay the $2 million fine, which cannot be covered by cyber insurance, within 10 days of the consent order’s issuance. DFS acknowledged PayPal’s transparency during the investigation and its proactive measures to enhance security, such as implementing mandatory multifactor authentication for all U.S. customer account logins and revising internal operational policies.

PayPal declined to comment on the matter.

Despite efforts by law enforcement to dismantle marketplaces selling login details, numerous dark web forums continue to trade PayPal credentials. In response to the breach, the 34,942 affected individuals were offered two years of free services from Equifax, including credit monitoring, fraud alerts, and identity restoration.