This post is also available in:
עברית (Hebrew)
PayPal has agreed to pay a $2 million civil fine to New York State’s Department of Financial Services (DFS) after an investigation revealed serious cybersecurity flaws that led to the exposure of customers’ Social Security numbers. According to a report by Reuters, the issue stemmed from PayPal’s failure to implement adequate security controls, which allowed cybercriminals to access sensitive personal information.
According to DFS, PayPal’s negligence in managing its cybersecurity infrastructure allowed customers’ names, dates of birth, and Social Security numbers to be exposed for nearly seven weeks. The breach was discovered following a report on December 6, 2022, when a security analyst saw an online message referencing a vulnerability related to Social Security numbers. Subsequently, PayPal’s cybersecurity team noticed an unusual uptick in access attempts, which led them to determine that cybercriminals were using “credential stuffing” attacks to gain unauthorized access to personal details.
The investigation also found that PayPal had not utilized qualified staff for key cybersecurity functions, nor had it provided sufficient training to address the risks associated with these vulnerabilities. Additionally, PayPal’s failure to require multifactor authentication or implement other protective measures like CAPTCHA left accounts more vulnerable to attack.
In response to the findings, PayPal has since taken corrective actions, including implementing mandatory multifactor authentication for all U.S. accounts, forcing password resets for affected users, and introducing CAPTCHA as an added layer of protection. Despite these efforts, the fine highlights the importance of robust cybersecurity practices in safeguarding user data.
Adrienne Harris, Superintendent of New York’s Department of Financial Services, emphasized that PayPal’s actions violated the state’s cybersecurity regulations. While PayPal has expressed commitment to improving security and protecting consumer information, the incident serves as a reminder of the ongoing risks and the need for strong cybersecurity frameworks in digital finance.
