PayPal fined by New York for cybersecurity failures

(Image credit: PayPal)

PayPal has been fined $2 million for cybersecurity failures
New York State Department of Financial Services fine follows a 2022 data breach
DFS says PayPal failed to properly train workers on security practices

Regulators in New York have issued a $2 million fine to financial service giant PayPal over cybersecurity failures which exposed personally identifiable information (PII) of tens of thousands of customers.

The breach, which occurred in December of 2022, compromised the social security numbers, email addresses, and names of users.

The fine, given by the New York State Department of Financial Services (DFS), follows an investigation into shortcomings in cybersecurity practices in the run up to the breach. The DFS determined that PayPal failed to use ‘qualified personnel’ to manage key cybersecurity functions, and didn’t provide adequate training to address risks in cybersecurity.

Failure to follow procedure

The investigation found these failures enabled the 2022 breach, in which hackers used a technique called ‘credential stuffing’ - where attackers ‘stuff’ login pages with numerous credentials taken from elsewhere until one eventually works.

The customer data was exposed after PayPal made changes to data flows in order to make IRS Form 1099-ks available to more customers. When doing this, the teams implementing the changes weren’t properly trained in PayPal’s systems and application development processes.

Because of this, DFS determined that employees ‘failed to follow proper procedures’ as the changes were made, allowing cybercriminals to exploit exposed credentials to access the forms, which then compromised sensitive customer data.

“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” said Superintendent Adrienne A.Harris in a statement.

“Qualified cybersecurity personnel are the first line of defense against potential data breaches, and providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”

Aside from the immediate danger of account access, exposed personal information puts customers at risk of identity theft, so check out our recommendations for best identity theft protection if you think you might be exposed.

Check out our list of the best firewall software around today
US state sues T-Mobile over 2021 data breach which leaked data of millions
We've also rounded up the best antivirus on offer right now

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.