PayPal will pay $2m to New York State’s Department of Financial Services after it found the peer-to-peer (P2P) payment platform exposed customers’ Social Security numbers because of weak cyber-security controls.
The state agency announced the $2m civil fine on Thurs., accusing PayPal of ‘negligent cyber-security failures’ that led to the data leak.
Unqualified Staff
Adrienne Harris, New York’s Financial Services Superintendent, explained that a probe by her office found PayPal failed to use qualified staff to manage key cyber-security functions or provide adequate training to address cyber-security risks.
This left names, dates of birth & Social Security numbers belonging to customers of the San Jose, California-based digital payments company easily accessible to cyber-criminals for about 7 weeks, she commented.
PayPal cooperated with the probe. “Protecting consumers’ personal information & maintaining a secure platform is a top priority for us & we take our regulatory responsibilities seriously,” the company explained in a statement.
Online Message
According to a consent order, PayPal discovered the problem after a security analyst on Dec. 6, 2022, read an online message that said, “PP EXPLOIT TO GET SSN.”
The next day, PayPal’s cyber-security team saw an increase in attempts to access its online platform & determined that cyber-criminals were using “credential stuffing” to view federal tax forms for 10s of 1000s of customers.
Data were exposed after PayPal amended existing data flows so it could make the forms available to more customers.
Multifactor
Harris also faulted PayPal for not requiring customers to use multifactor authentication or controls such as CAPTCHA to prevent unauthorised access.
The fine was for violating the financial services department’s cyber-security regulation, adopted in 2017.
PayPal now requires multifactor authentication on all US customer accounts, forced password resets on affected accounts, & has implemented CAPTCHA, the consent order outlined.
