PayPal has reached a $2 million settlement with the New York State Department of Financial Services (NYDFS) following allegations that cybersecurity deficiencies led to the exposure of sensitive customer data, including Social Security Numbers (SSNs).
An NYDFS investigation revealed that PayPal’s implementation of changes to its data systems—designed to make IRS Form 1099-Ks available to a broader range of users—was handled by teams that were not sufficiently trained in the company’s systems and application development processes.
This lack of expertise led to procedural oversights during the rollout of the changes, allowing cybercriminals to exploit compromised credentials and gain unauthorized access to Form 1099-Ks containing sensitive data.
Key Findings from the NYDFS Investigation
- Insufficient Cybersecurity Oversight: PayPal did not employ adequately qualified personnel to oversee key cybersecurity operations.
- Inadequate Staff Training: The teams responsible for implementing the changes were not properly trained on PayPal’s development systems or its processes.
- Data Breach Incident: Cybercriminals accessed sensitive customer data, including Social Security Numbers, by leveraging compromised credentials.
PayPal’s Response
PayPal discovered the breach in late 2022 and promptly self-reported the incident to regulators. The company has since resolved the cybersecurity gaps identified during the investigation and has implemented enhanced protocols to prevent future breaches, according to the NYDFS.
As part of the settlement, PayPal agreed to pay $2 million and committed to ongoing efforts to bolster its cybersecurity practices.