PayPal, Inc. has agreed to pay a $2 million penalty to the New York State Department of Financial Services (DFS) after an investigation found that cybersecurity failures led to the exposure of sensitive customer information, including Social Security Numbers (SSNs). The breach stemmed from a December 2022 cybersecurity event in which unmasked customer data was accessible to cybercriminals due to internal mismanagement of security protocols.
The DFS investigation revealed that PayPal violated multiple sections of New York’s Cybersecurity Regulation (23 NYCRR Part 500). Specifically, the company failed to:
- Use qualified cybersecurity personnel to oversee and implement security policies.
- Properly train employees responsible for handling system changes.
- Implement essential access controls, such as multi-factor authentication (MFA) and rate limiting, to prevent unauthorized access.
The breach occurred after PayPal modified its data handling processes to comply with a change in IRS Form 1099-K reporting thresholds. The engineering team responsible for the update was not adequately trained, leading to unredacted personal data being left exposed on PayPal’s platform. Cybercriminals exploited compromised credentials through a credential stuffing attack, gaining access to thousands of customer SSNs and other sensitive information.
The DFS initiated an investigation following PayPal’s disclosure of the incident. The agency found that PayPal’s internal cybersecurity policies were not properly enforced, and critical risk assessments — such as penetration tests and vulnerability scans — were not conducted before launching the system update. This oversight left tens of thousands of customers vulnerable to identity theft.
In response to the breach, PayPal implemented several security enhancements, including masking the exposed data to prevent further leaks, forcing password resets for affected users, adding CAPTCHA and rate limiting to prevent automated credential-stuffing attacks, and mandating MFA for all U.S. customer accounts.
DFS acknowledged PayPal’s cooperation and credited its efforts to improve cybersecurity practices following the incident. However, Superintendent Adrienne A. Harris emphasized that “qualified cybersecurity personnel are the first line of defense against potential data breaches,” underscoring the importance of strict compliance with New York’s cybersecurity regulations.
PayPal’s security failures demonstrate that even industry giants are vulnerable when cybersecurity is treated as an afterthought. The $2 million fine may be a relatively small penalty for a company of PayPal’s size, but the reputational damage and regulatory scrutiny could have long-term consequences.
Uncensored AI Tool ‘GhostGPT’ Gains Popularity Among Hackers
This is ridiculous I called to let people of PayPal know about over $6,000 missing from my account and I was hung up on.