PayPal, Inc. will pay a $2 million penalty to New York State for violations of the state’s financial services industry cybersecurity regulation.
The failures on December 2022 led to sensitive customer information, including social security numbers, being left unredacted and easily accessible to cybercriminals, according to the New York Financial Services Department.
DFS Superintendent Adrienne A. Harris said her department’s investigation determined PayPal, One of the largest financial technology companies, failed to use qualified personnel to manage key cybersecurity functions and failed to provide adequate training to address cybersecurity risks.
DFS said customer data was exposed after PayPal implemented changes to existing data flows to make IRS Form 1099-Ks available to more of its customers. However, DFS said the teams tasked with implementing these changes were not trained on PayPal’s systems and application development processes. As a result, they failed to follow proper procedures before the changes went live. This allowed cybercriminals to leverage compromised credentials to access Form 1099-Ks, which included sensitive customer data, including SSNs, according to state investigators.
DFS said its investigation also revealed that PayPal did not require customers to use multifactor authentication or use controls such as CAPTCHA or rate limiting to help prevent unauthorized access. PayPal has since remediated these issues and improved its cybersecurity practices.
The DFS Cybersecurity Regulation has been in effect since March 2017, with the second amendment becoming effective in November 2023.
Was this article valuable?
Here are more articles you may enjoy.
Questions About How a Deputy’s Stepson Became the Accused Gunman at FSU Shooting 
Florida Bill Advances, Would End Board of Engineers, Other Professional Agencies 
Don’t Forget Tariff Impacts on Workers’ Compensation: Berkley 
State Farm Wins Dismissal of Class Action Over Xactimate Software 
