PayPal has agreed to pay a $2 million penalty after a breach impacted nearly 35,000 users.
What happened
PayPal has agreed to pay a $2 million penalty to New York, following a 2022 cybersecurity incident.
In January 2023, PayPal sent breach notifications to approximately 35,000 customers after their data had been accessed. According to the report, the breach occurred between December 6th and December 8th, 2022.
The breach was the result of credential stuffing, which occurs when hackers take username and password combinations from past data breaches and attempt to use those credentials in other online services. This strategy can be effective, as many individuals reuse the same login credentials across different websites.
Accessed data included names, addresses, Social Security Numbers, dates of birth and individual tax identification numbers. In response, PayPal required all users to change their passwords and offered credit monitoring and identity theft insurance.
What’s new
Since the breach, PayPal agreed to pay a fine to New York. The state’s law mandates companies like PayPal “use qualified personnel to manage key cybersecurity functions,” including training staff to address cybersecurity concerns.
New York’s Department of Financial Services (DFS) Superintendent, Adrienne Harris, said, “Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”
According to the DFS, some tax documents on PayPal’s online platform contained unmasked consumer information, caused by an update to the platform. During the update, PayPal failed to go through a risk identification process due to a clerical error, allowing consumer information to be available online without the team noticing. A day after the issue was discovered, PayPal’s team noticed a spike in attempts to access the platform, due to credential stuffing.
According to the penalty agreement, the fine must be paid within 10 days of the order and cannot be covered by cyber insurance.
The big picture
Ultimately, the DFS commended PayPal for being forthright about the incident during the investigation and making changes to their cybersecurity policies, including requiring multi-factor authentication for US customers and updating internal operational rules.
While the penalty will likely encourage better cybersecurity practices, much of the data stolen from PayPal is still available on the dark web, despite efforts from law enforcement to shut down illegal marketplaces.
Consumers who use online platforms should remember to vary their passwords and change them if they have been involved in a data breach. Organizations like Paypal should keep in mind the various penalties and fines they could be subjected to for failing to follow proper cybersecurity protocols.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
