New York state regulators have fined PayPal $2 million following a cybersecurity incident in late 2022 that exposed sensitive customer information, including Social Security numbers. The breach, attributed to a credential stuffing attack, affected nearly 35,000 individuals and highlighted gaps in PayPal’s cybersecurity protocols, including insufficient staff training and the lack of multifactor authentication (MFA).
The New York Department of Financial Services (DFS) faulted the company for failing to adopt qualified personnel, implement adequate access controls, and sufficiently protect consumer data.
PayPal, while cooperating with the investigation, has since upgraded its security protocols, including mandating MFA for all U.S. accounts and enhancing internal operational processes to prevent future incidents.
Why It Matters: Cybersecurity remains a main concern as digital payment platforms like PayPal handle vast amounts of personal and financial data. Breaches like this underscore the importance of strong security measures, regulatory oversight, and organizational accountability in protecting consumer information and building trust in financial services.
- The Breach and Its Discovery: In December 2022, PayPal identified a spike in platform access attempts after an online message detailed how to exploit the company’s systems to retrieve Social Security numbers. The breach lasted approximately seven weeks, exposing sensitive data such as names, addresses, and birthdates.
- Credential Stuffing Exploitation: Cybercriminals utilized credential stuffing techniques, using stolen login details to gain unauthorized access to user accounts. Vulnerabilities were linked to changes made to accommodate tax-related forms following the American Rescue Plan Act of 2022.
- Regulatory Findings: New York DFS found PayPal lacked qualified cybersecurity staff and failed to implement preventive measures like multifactor authentication or CAPTCHA, which could have blocked unauthorized access attempts.
- PayPal’s Response and Upgrades: After the breach, PayPal mandated MFA for U.S. customers, implemented CAPTCHA, and enforced password resets on affected accounts. The company also revised internal processes to strengthen oversight and risk management.
- The Financial and Legal Consequences: PayPal agreed to pay a $2 million fine, which cannot be covered by insurance, and provided impacted customers with two years of free credit monitoring services through Equifax. Regulators commended PayPal for cooperating with the investigation and making meaningful changes.
PayPal fined by New York for cybersecurity failures – Reuters
New York State Fines PayPal for $2 Million Over 2022 Breach of Customer Accounts – MSSP Alert