PayPal has agreed to pay a $2 million penalty to the New York State Department of Financial Services (DFS) for violations of the state’s Cybersecurity Regulation. The penalty stems from an investigation that found PayPal had failed to use qualified personnel to manage critical cybersecurity functions. Additionally, the company did not provide adequate training to its employees to address cybersecurity risks, leading to vulnerabilities that exposed sensitive customer data. Among the exposed information were social security numbers (SSNs), which were left unredacted and accessible to cybercriminals.
The investigation revealed that PayPal had implemented changes to its data flows to provide IRS Form 1099-Ks to more customers, but the teams tasked with the implementation were not properly trained on the company’s systems and application development processes. This oversight resulted in failures to follow proper procedures, leaving sensitive data vulnerable to unauthorized access. Cybercriminals were able to exploit compromised credentials to access Form 1099-Ks, which contained customer information such as SSNs.
Furthermore, the DFS found that PayPal did not implement or maintain adequate written policies to address key security measures such as access controls, identity management, and customer data protection. The company also failed to use effective controls to safeguard against unauthorized access to its nonpublic information and systems. Notably, PayPal did not require customers to use multifactor authentication or other essential protections like CAPTCHA or rate limiting, which could have helped prevent unauthorized access to sensitive data.
Since the breach, PayPal has taken corrective actions, including remediating the issues identified in the investigation and improving its cybersecurity practices. The company has since enhanced its internal processes to better safeguard customer data and prevent similar incidents in the future. The DFS Cybersecurity Regulation, which has been in effect since March 2017, remains a critical standard for protecting consumer data and strengthening the resilience of financial institutions.