PayPal Agrees to Pay $2 Million Fine for Failing to Comply with Cybersecurity Regulations

PayPal’s Security Lapses Exposed Personal Information of 35,000 Customers

PayPal has agreed to pay a $2 million fine to New York State for failing to comply with cybersecurity regulations. This led to a data breach in 2022 that exposed the personal information of 35,000 customers.

New York Department of Financial Services Finds Security Lapses

The New York Department of Financial Services (DFS) found that PayPal’s security lapses allowed hackers to conduct credential stuffing attacks, gaining unauthorized access to sensitive customer data. In 2023, PayPal disclosed the breach and revealed that it occurred in December 2022. The exposed data included full names, dates of birth, postal addresses, Social Security numbers, and individual tax identification numbers of PayPal customers.

DFS Announces Details of the Breach

New York’s DFS announcement also provided further details about the breach, highlighting that one of PayPal’s security issues stemmed from a mistake in distributing Form 1099-K tax forms on the platform. The DFS explained that customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers. However, the teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes. As a result, they failed to follow proper procedures before the changes went live.

How Hackers Bred PayPal Data

Due to faulty implementation, cybercriminals with valid PayPal account credentials were able to access accounts and their associated 1099-K forms, exposing sensitive information. The success of these "credential stuffing" attacks was largely attributed to the absence of mandatory multi-factor authentication (MFA) on the platform at the time. Weak access controls, including the lack of CAPTCHA or rate limiting for automated login attempts, further compounded PayPal’s compliance failures.

PayPal Implements Remediation Measures

Although PayPal later implemented remediation measures, such as masking sensitive data on IRS forms, adding CAPTCHA and rate limiting, and mandating MFA for US customers, these actions came too late, according to the DFS. Under the settlement, PayPal must pay a $2 million fine within 10 days, with no further action unless additional violations are uncovered by DFS.

Published On Jan 28, 2025 at 10:44 AM IST

Category Most Read Placement

Comment Section

Subscription in Article

Top Newsletter Subscription Section

Join the community of 2M+ industry professionals and subscribe to our newsletter to get latest insights & analysis.

Download ETCISO App

Get Realtime updates and save your favourite articles. Download ETCISO App now!

App Store and App Store Links

Download ETCISO App from Play Store or App Store.

Scan to Download App

Scan the QR code to download ETCISO App.