New York State Department Of Financial Services Imposes $2 Million Penalty On PayPal

New York State Department Of Financial Services Imposes $2 Million Penalty On PayPal

The fine was for violating the regulations adopted in 2017

The New York State Department of Financial Services has stated that PayPal will pay a $2 million penalty over cybersecurity failures, which led to exposing customers' Social Security numbers in late 2022.

Adrienne Harris, the financial services superintendent in New York said that her office’s investigation revealed that PayPal failed to use qualified staff to manage key cybersecurity functions.

She added that the company did not provide adequate training to address cybersecurity risks. This left the name, date of birth and Social Security number of customers of the San Jose, California-based digital payments company, accessible to cybercriminals for about seven weeks.

While cooperating with the probe, PayPal expressed, "Protecting consumers' information and maintaining a secure platform is a top priority for us and we take our regulatory responsibilities seriously.”

The company’s consent order stated that PayPal discovered the problem after a security analyst on 06 December 2022, read an online message saying, “PP exploit to get SSN.”

The next day, PayPal's cybersecurity team saw a spike in attempts to access its online platform. It observed that cybercriminals were using ‘credential stuffing’ to view the tax forms of millions of customers. The data had been exposed after PayPal made changes to make the forms available to more customers.

Superintendent Harris blamed PayPal for not availing customers to use multifactor authentication or controls such as ‘Captcha’ to prevent unauthorized access.

The financial technology company now requires multifactor authentication on all US customer accounts and forced password resets on affected accounts. It has also implemented ‘Captcha’ verification.