New York State has finalized a $2 million settlement with PayPal following allegations that the company failed to meet the state’s cybersecurity standards, leading to a significant data breach in 2022.
According to the Department of Financial Services (DFS), cybercriminals exploited security weaknesses in PayPal’s systems during a credential-stuffing attack, compromising the sensitive data of 35,000 customers.
Details of the Breach
The attack occurred between December 6th and December 8th, 2022, when hackers used stolen credentials to gain unauthorized access to user accounts. The breach exposed a range of sensitive information, including:
- Full names
- Dates of birth
- Postal addresses
- Social security numbers
- Individual tax identification numbers
The DFS report also highlighted a specific vulnerability: an error in how PayPal distributed IRS Form 1099-K tax forms.
“Customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more customers,” said the DFS.
However, the implementation teams lacked adequate training on PayPal’s systems and application development processes, leading to procedural oversights before the changes went live.
Key Security Failures
The breach was exacerbated by several critical security lapses, including:
- Lack of Multi-Factor Authentication (MFA): MFA was not mandatory then, leaving accounts vulnerable to credential-stuffing attacks.
- Weak Access Controls: The platform did not enforce CAPTCHA or rate limiting, allowing attackers to make automated login attempts.
These failures violated several provisions of New York’s Cybersecurity Regulation (23 NYCRR § 500), particularly those related to cybersecurity policies, personnel training, and authentication measures.
Remediation and Settlement
In the wake of the breach, PayPal implemented several security enhancements, including:
- Masking sensitive data on IRS forms
- Adding CAPTCHA and rate-limiting mechanisms
- Requiring MFA for all U.S. customer accounts
Despite these corrective actions, the DFS deemed them insufficient to prevent harm caused by the initial breach.
Under the settlement terms, PayPal has agreed to pay a $2 million fine within 10 days. The DFS will not take further action unless it uncovers additional violations.
This case underscores the importance of robust cybersecurity practices, especially as regulators continue to enforce stricter compliance measures across the financial sector.
