PayPal, Inc., one of the world’s leading financial technology firms, has agreed to pay a $2 million penalty to New York State following a cybersecurity breach that exposed sensitive customer information, including Social Security numbers.
The settlement, announced by Superintendent Adrienne A. Harris of the New York State Department of Financial Services (DFS), highlights violations of the state’s Cybersecurity Regulation. The DFS investigation found that PayPal failed to use adequately trained personnel for critical cybersecurity tasks and did not sufficiently prepare its workforce to handle cybersecurity risks. These shortcomings led to vulnerabilities that allowed cybercriminals to access unredacted customer data through IRS Form 1099-Ks.
“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” Harris said. “Qualified cybersecurity personnel and properly implemented policies are essential in protecting sensitive information and mitigating risks.”
PayPal’s issues began when it made changes to its data systems to expand the availability of Form 1099-Ks. The teams responsible for implementing the changes reportedly lacked training on PayPal’s internal systems and failed to follow necessary protocols. This oversight enabled bad actors with compromised credentials to access forms containing customers’ Social Security numbers and other sensitive information.
The DFS also uncovered broader deficiencies in PayPal’s cybersecurity practices. The company had not developed written policies for access controls or identity management and failed to implement effective safeguards, such as multifactor authentication and tools like CAPTCHA, to prevent unauthorized access. PayPal has since addressed these weaknesses and enhanced its cybersecurity practices.
New York’s Cybersecurity Regulation, in place since 2017, was updated in November 2023 to further strengthen protections for consumer data. Harris emphasized that companies must continually adapt and enforce robust cybersecurity measures to prevent incidents like this one.
The consent order detailing the settlement is available on the DFS website.
FingerLakes1.com is the region’s leading all-digital news publication. The company was founded in 1998 and has been keeping residents informed for more than two decades. Have a lead? Send it to [email protected].