PayPal Hit With $2 Million Fine For Cybersecurity Failures 

The New York State Department of Financial Services (NYDFS) has imposed a $2 million fine on PayPal, Inc. for violations of its stringent cybersecurity regulations.

The penalty stems from failures in PayPal’s cybersecurity practices that led to a data breach in December 2022, exposing sensitive customer information, including Social Security numbers (SSNs), names, and dates of birth.

The breach occurred after PayPal implemented changes to its data flows to make IRS Form 1099-Ks accessible to a broader customer base.

The Breach and Its Consequences 

However, the engineering team responsible for the rollout misclassified the project as a platform migration rather than a new feature. 

This oversight bypassed critical risk assessments and vulnerability scans required under PayPal’s own policies. Consequently, the updated forms went live with unmasked customer data.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Hackers exploited these vulnerabilities through a credential stuffing attack—a method where stolen username-password combinations from other breaches are used to gain unauthorized access. 

Between December 6 and December 8, 2022, approximately 35,000 accounts were compromised. Attackers accessed sensitive nonpublic information (NPI), including SSNs and tax identification numbers. 

Although no unauthorized transactions were reported, the breach exposed customers to identity theft risks.

Regulatory Violations

NYDFS’s investigation revealed multiple lapses in PayPal’s compliance with its cybersecurity framework, which includes:

• Unqualified Cyber Security Personnel: PayPal failed to employ adequately trained personnel to oversee critical cybersecurity functions.
• Lack of Training: Teams responsible for implementing the IRS Form 1099-K changes were not trained on PayPal’s application development processes.
• Weak Access Controls: The company did not enforce multifactor authentication (MFA) or implement CAPTCHA or rate-limiting controls to prevent unauthorized access.
• Policy Deficiencies: PayPal lacked robust written policies addressing access controls, identity management, and data protection.

Superintendent Adrienne A. Harris emphasized the importance of robust cybersecurity measures in safeguarding consumer data.

“New York’s nation-leading cybersecurity regulation sets a critical standard for protecting sensitive information and ensuring the resilience of financial institutions,” she stated. 

Harris criticized PayPal for failing to implement basic protections like MFA and CAPTCHA, which could have mitigated the breach.

The NYDFS Cybersecurity Regulation has been in effect since March 2017 and was recently amended in November 2023 to impose stricter requirements on financial institutions. 

These include mandatory reporting of cybersecurity incidents within 72 hours and enhanced access control mechanisms.

PayPal’s Remediation Efforts

Following the breach, PayPal took immediate action to mitigate the damage:

• Implemented CAPTCHA and rate-limiting controls.
• Masked exposed customer data.
• Reset passwords for affected accounts.
• Made MFA mandatory for all U.S.-based accounts.
• Enhanced employee training on secure application development.

A PayPal spokesperson stated that “Protecting customer data remains a top priority and we take our regulatory responsibilities seriously”.

This event highlights the increased regulatory scrutiny that NYDFS-regulated fintech companies are subject to. Financial institutions should take note of the $2 million penalties as a warning about the consequences of poor cybersecurity procedures.

As cyber threats evolve, financial institutions must prioritize compliance with robust security frameworks to protect sensitive customer data and maintain public trust.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post PayPal Hit With $2 Million Fine For Cybersecurity Failures  appeared first on Cyber Security News.