• PayPal was fined $2 million by New York's Department of Financial Services for cybersecurity failures that exposed customer Social Security numbers in late 2022.
  • Cybercriminals exploited a vulnerability using "credential stuffing" to access federal tax forms for tens of thousands of customers.

PayPal has agreed to pay a $2 million civil fine for cybersecurity failures that exposed customers' Social Security numbers, according to New York's Department of Financial Services.

The breach, which occurred in late 2022, left sensitive customer information vulnerable for about seven weeks due to inadequate cybersecurity measures.

Adrienne Harris, New York's financial services superintendent, said the investigation revealed PayPal's shortcomings in managing key cybersecurity functions. The company failed to employ qualified personnel or provide adequate training to address cybersecurity risks, leading to the exposure of customer names, dates of birth, and Social Security numbers.

The breach was discovered on December 6, 2022, when a security analyst identified an online message referring to a vulnerability, "PP EXPLOIT TO GET SSN." The following day, PayPal's cybersecurity team observed a spike in unauthorized access attempts, which were later linked to credential stuffing attacks. Cybercriminals exploited these attacks to access federal tax forms for tens of thousands of customers.

The vulnerability stemmed from changes PayPal made to its data flows to expand access to tax forms. Regulators criticized the company for failing to implement robust safeguards, such as multifactor authentication or CAPTCHA, to prevent unauthorized access.

PayPal has since cooperated with regulators, implemented stricter security measures, and required multifactor authentication for all U.S. customer accounts. The company also forced password resets for affected accounts and added CAPTCHA controls to enhance platform security.

"Protecting consumers' personal information and maintaining a secure platform is a top priority for us and we take our regulatory responsibilities seriously," PayPal stated.

The fine reflects violations of New York's cybersecurity regulation, which was adopted in 2017 to ensure the safety of sensitive financial data.

Edited by Harshajit Sarmah